Re: [Declude.JunkMail] Sample Configs

[Imail_Forum]

LOL.  This is some great information for all the responses that I have
gotten.  I have been messing with my configs, seems like weekly, for about 2
years now.  Was curios what other people were doing.  Running 3 IMail
servers and handling about 700,000 messages a day now for over 500 domains..
Fun times :)   This product has been the best I have used since I have
trying out other over the course of the last 2 years.  And the support is
incredible (hat off to Scott Perry).

Thanks for all the info!

Mark Mitchell
Inwave Internet Inc.

- Original Message - 
From: "Colbeck, Andrew" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Friday, November 05, 2004 4:38 PM
Subject: RE: [Declude.JunkMail] Sample Configs


> Yeah, what Matt said.
>
> In my own words: Everybody has a custom configuration, so what works for
> them WON'T work for you.
>
> Since you've only just re-joined the list, I'll mention that Markus Gufler
> and Pete McNeil have collaborated on the back-end for a nifty graph
> indicating just how useful the tests are on Markus' domain:
>
> http://www2.spamchk.com/public.html
>
> See the bottom of the page for a link to the explanation.
>
> Besides acquiring Message Sniffer, you really ought to make a trip to
> http://www.declude.com and check what's current in the manual.
Downloading
> the current package of declude and the global.cfg would be useful as well,
> as you're really the only one that can compare and contrast what's new
since
> you've been away.
>
> You'll probably frequently find mention of IP4R tests that are new to you.
> See the Declude page that lists all known IP4R tests.
>
> In the manual, you'll find new additional syntax for a few things like
> REVDNS.  If you want to save processing time on your text filters with the
> Declude JunkMail Pro version, there are new directives for stopping the
> processing early or controlling the amount of weight returned, like
> SKIPIFWEIGHT, MINWEIGHTTOFAIL and MAXWEIGHT.
>
> Based on the those new abilities, you'll probably also want to check into
> combination tests, which are tests that check if some other test has
passed
> or failed.  You'll need to understand the order of the processing as it is
> listed in the manual.
>
> Scott Fisher and Matthew Bramble have done a lot of work on combination
> tests and pushed advances in Declude's grammar.  Both share a great deal
of
> useful stuff on their websites.
>
> Scott's website:
>
> http://it.farmprogress.com/declude/declude.htm
>
> Matt's website (You won't hear much from Matt, though. He's the shy,
> retiring type):
>
> http://www.mailpure.com/software/decludefilters/
>
> A lot of this is "advanced stuff" and you'll need to spend special
attention
> to all your brand-new false positives.  As with everything in IT, don't go
> changing everything at once.
>
> SPF, SPAMDOMAINS, the SpamHaus SBL and XBL are all things you'll want to
use
> to stay on top of things.  Check the archives at:
>
> http://www.mail-archive.com/[EMAIL PROTECTED]/
>
> is not the best, but is a decent way to find more about those buzzwords.
It
> looks like it's a week behind right now.
>
> Also very new and popular is a cool script that fetches the SpamCop SURBL
> list and converts it to a BODY filter.
>
> Feel like you're drinking from a firehose yet?
>
> Andrew 8)
>
> -Original Message-
> From: Matt [mailto:[EMAIL PROTECTED]
> Sent: Friday, November 05, 2004 7:40 AM
> To: [EMAIL PROTECTED]
> Subject: Re: [Declude.JunkMail] Sample Configs
>
>
> It's been my experience that such requests aren't generally answered, at
> least on the list.  More specific requests such as "what DUL lists are
> you using" however generally get answered.  The issue is probably
> related to people not wanting to give away all of their own work.
> Besides, you would otherwise get as many different answers as replies,
> and it would still come down to you making a choice and needing to be
> more informed about what to do.
>
> My first suggestion for anyone running Declude would be to get Sniffer
> (http://www.sortmonster.com).  It's reasonably priced and Sniffer alone
> can tag +95% of your spam with +99.8% accuracy.  The instructions might
> be a little bit confusing at first, but if you make the commitment to do
> this, there are plenty that will help you get it configured.
>
> Matt
>
>
>
> Imail_Forum wrote:
>
> >Hello,
> >
> >   Just signed back up for this list again.  I was wondering if people
> could
> >share some sample default junkmail files and cfg files?   I am using
> Declude
> >for anti-spam only as of now and would be interested in seeing how
> >other people are setting theirs up.  Our current config is working
> >pretty good, but would love to make it better.
> >
> >Thanks,
> >Mark Mitchell
> >Inwave Internet Inc.
> >
> >
> >---
> >[This E-mail was scanned for viruses by Declude Virus
> >(http://www.declude.com)]
> >
> >---
> >This E-mail came from the Declude.JunkMail mailing list.  To
> >unsubscribe, just send an E-mai

Re: [Declude.JunkMail] Joe Job Filters

[Matt]

I use a combo test for this.  One test identifies various forms of null
senders (there is more than just <> MAILFROM's due to common
customizations so I also include things like postmaster@,
mailer-daemon@, null@, noreply@, etc.).  The other test has an END
statement for TESTSFAILED NOTCONTAINS my null sender test, and then if
that null sender also hits something like a Sniffer test or another
content based filter, I add a bunch of extra weight to the message.

There is nothing that you can do for bounces that contain no original
content.  Also note that most Joe-Jobs are for randomized addresses on
one's domain, and if you are gatewaying you can stop the flow by doing
address validation with another product like VAMSoft's ORF before
IMail/Declude.  That will also stop the dictionary attacks, which
aren't really dictionary attacks, they are just spam floods to guessed
addresses with the hidden spammer benefit of generating bounce messages
to joe-jobbed domains, or in effect using you as a bounce relay.  It's
clear that they don't harvest when they send a domain tens of thousands
of RCPT To's per day, week after week, month after month.  If it is
locally hosted, you must disable the nobody alias and IMail will reject
the bad recipients.

Matt



Scott Fisher wrote:

  
  
  
  Does anyone have a filter that works
well on stopping Joe Job bounces (preferably while not stopping legit
bounces...)?


-- 
=
MailPure custom filters for Declude JunkMail Pro.
http://www.mailpure.com/software/
=

RE: [Declude.JunkMail] Joe Job Filters

[Markus Gufler]

There are 3 different type of NDR's caused by joe 
jobs.
 
All 3 are comming back not from spammy servers but from 
legit servers bouncing spam messages with wrong recipient addresses. (so far 
nothing new)
 
I've identified the following 3 types
 
a.) NDR with the part of the original spam message in the 
body (usualy the header and some lines of the original body)
In the best case some content filter is able to detect 
enough in this original header to catch it as spam.
As I can understand it would be usefull to have an external 
test that is able ot search in the body of this NDRs for IP-addresses that are 
part of the original header and run them against the configured IP4R tests. So 
this will be a task (and test) for Declude itself and not an external 
test.
 
b.) NDR with the original spam message as 
attachment
It would be usefull if Declude would be able to detect such 
attached messages and re-run the entire test on this attached message instead of 
the NDR, and the apply the resulting action to the entire 
NDR.
 
c.) NDR's without any source of the original 
message.
Difficult. Theoretically something like Declude "JoeJack" 
could work. Means counting the number of NDR's in a certain time range. If more 
then x messages between y minutes are comming in to a single users mailbox then 
mark this NDR's as spam.
 
Up to now this all is theory and as I've seen joe jobs are 
comming and going. If someone is victim of a joe job it becomes urgent until 
there are no more NDR's...
 
Markus
 
 

  
  
  From: [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED] On Behalf Of Scott 
  FisherSent: Friday, November 05, 2004 11:40 PMTo: 
  [EMAIL PROTECTED]Subject: [Declude.JunkMail] Joe Job 
  Filters
  
  Does anyone have a filter that works well on 
  stopping Joe Job bounces (preferably while not stopping legit 
  bounces...)?

[Declude.JunkMail] Joe Job Filters

[Scott Fisher]

Does anyone have a filter that works well on 
stopping Joe Job bounces (preferably while not stopping legit 
bounces...)?

RE: [Declude.JunkMail] Sample Configs

[Colbeck, Andrew]

Yeah, what Matt said.

In my own words: Everybody has a custom configuration, so what works for
them WON'T work for you.

Since you've only just re-joined the list, I'll mention that Markus Gufler
and Pete McNeil have collaborated on the back-end for a nifty graph
indicating just how useful the tests are on Markus' domain:

http://www2.spamchk.com/public.html

See the bottom of the page for a link to the explanation.

Besides acquiring Message Sniffer, you really ought to make a trip to
http://www.declude.com and check what's current in the manual.  Downloading
the current package of declude and the global.cfg would be useful as well,
as you're really the only one that can compare and contrast what's new since
you've been away.

You'll probably frequently find mention of IP4R tests that are new to you.
See the Declude page that lists all known IP4R tests.

In the manual, you'll find new additional syntax for a few things like
REVDNS.  If you want to save processing time on your text filters with the
Declude JunkMail Pro version, there are new directives for stopping the
processing early or controlling the amount of weight returned, like
SKIPIFWEIGHT, MINWEIGHTTOFAIL and MAXWEIGHT.

Based on the those new abilities, you'll probably also want to check into
combination tests, which are tests that check if some other test has passed
or failed.  You'll need to understand the order of the processing as it is
listed in the manual.

Scott Fisher and Matthew Bramble have done a lot of work on combination
tests and pushed advances in Declude's grammar.  Both share a great deal of
useful stuff on their websites.

Scott's website:

http://it.farmprogress.com/declude/declude.htm

Matt's website (You won't hear much from Matt, though. He's the shy,
retiring type):

http://www.mailpure.com/software/decludefilters/

A lot of this is "advanced stuff" and you'll need to spend special attention
to all your brand-new false positives.  As with everything in IT, don't go
changing everything at once.

SPF, SPAMDOMAINS, the SpamHaus SBL and XBL are all things you'll want to use
to stay on top of things.  Check the archives at:

http://www.mail-archive.com/[EMAIL PROTECTED]/

is not the best, but is a decent way to find more about those buzzwords.  It
looks like it's a week behind right now.

Also very new and popular is a cool script that fetches the SpamCop SURBL
list and converts it to a BODY filter.

Feel like you're drinking from a firehose yet?

Andrew 8)

-Original Message-
From: Matt [mailto:[EMAIL PROTECTED] 
Sent: Friday, November 05, 2004 7:40 AM
To: [EMAIL PROTECTED]
Subject: Re: [Declude.JunkMail] Sample Configs


It's been my experience that such requests aren't generally answered, at 
least on the list.  More specific requests such as "what DUL lists are 
you using" however generally get answered.  The issue is probably 
related to people not wanting to give away all of their own work.  
Besides, you would otherwise get as many different answers as replies, 
and it would still come down to you making a choice and needing to be 
more informed about what to do.

My first suggestion for anyone running Declude would be to get Sniffer 
(http://www.sortmonster.com).  It's reasonably priced and Sniffer alone 
can tag +95% of your spam with +99.8% accuracy.  The instructions might 
be a little bit confusing at first, but if you make the commitment to do 
this, there are plenty that will help you get it configured.

Matt



Imail_Forum wrote:

>Hello,
>
>   Just signed back up for this list again.  I was wondering if people
could
>share some sample default junkmail files and cfg files?   I am using
Declude
>for anti-spam only as of now and would be interested in seeing how 
>other people are setting theirs up.  Our current config is working 
>pretty good, but would love to make it better.
>
>Thanks,
>Mark Mitchell
>Inwave Internet Inc.
>
>
>---
>[This E-mail was scanned for viruses by Declude Virus 
>(http://www.declude.com)]
>
>---
>This E-mail came from the Declude.JunkMail mailing list.  To 
>unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type 
>"unsubscribe Declude.JunkMail".  The archives can be found at 
>http://www.mail-archive.com.
>
>
>  
>

-- 
=
MailPure custom filters for Declude JunkMail Pro.
http://www.mailpure.com/software/
=

---
[This E-mail was scanned for viruses by Declude Virus
(http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To unsubscribe,
just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe
Declude.JunkMail".  The archives can be found at
http://www.mail-archive.com.
---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be 

Re: [Declude.JunkMail] ANN: SPAMC32 (SpamAssassin SPAMC for Declude) 0.5.57 released

[Darin Cox]

Nope...4 bytes = 32 bits.  To be able to isolate a single test from a
combined result, you have to be able to factor the sum somehow.  The most
common way to do it is with bit masking.

So consider Test1 that has a weight of 1, Test2 has a weight of 2, Test3 has
a weight of 4, etc.  Now if your total weight was 6 you would know that 6 =
2^1 + 2^2 and be able to determine that Tests 2 and 3 failed, while all
others passed.

Darin.


- Original Message - 
From: "DLAnalyzer Support" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Friday, November 05, 2004 8:53 AM
Subject: Re: [Declude.JunkMail] ANN: SPAMC32 (SpamAssassin SPAMC for
Declude) 0.5.57 released


Darin,

If its an unsigned 4-byte wouldnt it be 4,294,967,295 tests?

Darrell


Darin Cox writes:

> This is the same idea I mentioned a year ago when we were all talking
about combo tests in Decludeonly problem being if you use more unique
tests than the numeric type supported.  Assuming the weight/bitmask number
is a 4-byte unsigned int, then we have a maximum of 32 tests.
>
> Darin.
>
>
> - Original Message - 
> From: Matt
> To: [EMAIL PROTECTED]
> Sent: Friday, November 05, 2004 7:35 AM
> Subject: Re: [Declude.JunkMail] ANN: SPAMC32 (SpamAssassin SPAMC for
Declude) 0.5.57 released
>
>
> If you don't mind me expanding on the bitmask ideaSniffer users would
benefit from this greatly as many spams fail multiple Sniffer tests.  This
would allow us to score each result code that it returned, i.e.
>
> SNIFFER-GENERAL   bitmask1
"C:\IMail\Declude\Sniffer\execode.exe mycode"60
> SNIFFER-EXPERIMENTALbitmask2
"C:\IMail\Declude\Sniffer\execode.exe mycode"60
> SNIFFER-OBFUSCATION  bitmask4
"C:\IMail\Declude\Sniffer\execode.exe mycode"60
> SNIFFER-IP  bitmask8
"C:\IMail\Declude\Sniffer\execode.exe mycode"40
> SNIFFER-CASINO   bitmask16
"C:\IMail\Declude\Snifferexecode.exe mycode"80
> ...
>
> So if a test such as Sniffer returned a result code of 26, that would mean
it hit SNIFFER-CASINO, SNIFFER-IP and SNIFFER-EXPERIMENTAL.
>
> That would be huge :)
>
> Matt
>
>
> Matt wrote:
>
>   Yes, I would be interested in this very much since it would greatly ease
the management, testing and reporting of such tests, and I have been working
on something myself that would be capable of returning both positive and
negative weights and I didn't want to be running it twice to get the
separation in log lines.
>
>   Something else that is a bit OT regarding external tests...I would be
very interested in finding a way to run an external test once and return
multiple result codes, that way if you for instance were testing different
things that both required substantial code and extra I/O, you could make
things much more efficient and also greatly simplify the management of your
code.  I understand of course that you could create a set of 4 result codes
to represent the combination of two hits, but it quickly becomes unwieldy as
it grows exponentially.  Is there a way that you could return multiple
result codes and have Declude fail multiple tests without running the test
multiple times?  I'm thinking that something like a bitmask returned and
then interpreted by Declude to match zero to many tests.
>
>
http://www.joestump.net/170933118/a-quick-bitmask-howto-for-programmers
>
>   Note that if this was available, I would probably prefer this over
weight+ and weight- for my own needs since I don't perceive being able to do
both :)
>
>   Thanks,
>
>   Matt
>
>
>
>   Markus Gufler wrote:
>
> Yet another update to SPAMC32 that's useful when deployed as
> a Declude 'weight'  test type. See the release notes below
> and download from the traditional /release folder.
>
> As SpamChk is not anymore alone as external 'weight' test maybe also
SPAMC32
> users are interested in having 'weight+' and 'weight-'
> So it would be possible to confgure two config lines one for a positive
the
> other for negative results.
>
> For example
>
> SPAMASSASSIN+ weight+ c:\imail\...
> SPAMASSASSIN- weight- c:\imail\...
>
>
> The benefits?
>
> 1.) It would become possible to use the results of weight tests for
> combination filters.
> Up to now it was not possible to assign extra points, for example if an
> IP4R-test and SPAMCHK has failed.
> As both tests are tecnicaly completely different the combination would be
> highly accurate.
> You can see this for example on http://www2.spamchk.com/public.html on the
> already existing COMBO-... tests.
>
> 2.) Creating reports would be much easier and more clear if weight tests
can
> be separated like showed above.
>
> I've suggested this some months ago to Scott. Maybe now with some
additional
> interested parties...
>
> Markus
>
>
> ---
> [This E-mail was scanned for viruses by Declude Virus
(http://www.declude.com)]
>
> ---
> This E-mail came from the Declude.JunkMail mailing list.  To
> unsubscribe

Re: [Declude.JunkMail] ANN: SPAMC32 (SpamAssassin SPAMC for Declude) 0.5.57 released

[Darin Cox]

I certainly understood your desiresI was 
extending it to what was originally proposed a year ago for combo testing within 
Declude.  I think most people using Pro have gone to filters to do this 
instead, since it's easier that way.  But those on Standard could use 
bitmasking to achieve the same combo test results.
Darin.
 
 
- Original Message - 
From: Matt 
To: [EMAIL PROTECTED] 

Sent: Friday, November 05, 2004 9:04 AM
Subject: Re: [Declude.JunkMail] ANN: SPAMC32 (SpamAssassin SPAMC for 
Declude) 0.5.57 released
Darin,Correct me if I'm wrong, but I was expecting that 
this would only be internal to one external test at one time and have no effect 
on anything else, i.e. DNSBL's.  So the only limitation would be 32 result 
codes for each external test which is workable.  I would also imagine that 
a different variable type could be used for a 'bitmask' type rather than a 
'nonzero',  'weight' or 'external' type.MattDarin 
Cox wrote:

  
  Certainly...I was thinking of it in the broader 
  sense, though.  For example, we run more than 32 tests within Declude, so 
  it would only work for us if we culled the list down a bit, which we could 
  probably do quite easily with a lot of the DNSBLs that rarely get hit and are 
  almost always covered by others.
   
  Also, I don't know for sure whether Scott or Pete 
  use unsigned 4-byte ints for the weights.  Scott actually probably uses 
  signed ints, so you lose half of the bits...and if the weight is a 2-byte 
  signed int then the number of available bits drops to 15.
  Darin.
   
   
  - 
  Original Message - 
  From: 
  Matt 
  To: [EMAIL PROTECTED] 
  
  Sent: Friday, November 05, 2004 8:41 AM
  Subject: Re: [Declude.JunkMail] ANN: SPAMC32 (SpamAssassin SPAMC 
  for Declude) 0.5.57 released
  I could deal with 32 result codes for a single test 
  :)I'm hoping that Pete will weigh in on this.  We had a 
  discussion once about how to weight multiple hits, and he was leaning towards 
  an internal probability based method, but this would give us far more 
  flexibility as administrators IMO.Yesterday on my system Sniffer 
  returned 118,909 results (clean and failed), and of the 104,942 failed result 
  codes, there were a total of 316,206 result codes meaning an average of just 
  about 3 result codes for each time a message failed Sniffer.  I was 
  careful not to double count the final result with each result 
  code.Being able to get an average of 3 Sniffer hits per message would 
  allow me to reduce the weights slightly to protect from false positives, and 
  end up scoring spam with much higher weights as a result.  This would 
  help my system immensely.I could also use this for my own programming, 
  but enhancing Sniffer in this way would have broad implications across 
  Declude's customer base.MattDarin Cox wrote:
  



This is the same idea I mentioned a year 
ago when we were all talking about combo tests in Decludeonly 
problem being if you use more unique tests than the numeric type 
supported.  Assuming the weight/bitmask number is a 4-byte unsigned 
int, then we have a maximum of 32 tests.
Darin.
 
 
- 
Original Message - 
From: 
Matt 

To: [EMAIL PROTECTED] 

Sent: Friday, November 05, 2004 7:35 AM
Subject: Re: [Declude.JunkMail] ANN: SPAMC32 (SpamAssassin SPAMC 
for Declude) 0.5.57 released
If you don't mind me expanding on the bitmask ideaSniffer 
users would benefit from this greatly as many spams fail multiple Sniffer 
tests.  This would allow us to score each result code that it returned, 
i.e.    SNIFFER-GENERAL    
       bitmask    1 
   "C:\IMail\Declude\Sniffer\execode.exe mycode"    
6    0     
SNIFFER-EXPERIMENTAL    bitmask    2    
"C:\IMail\Declude\Sniffer\execode.exe mycode"    
6    0    SNIFFER-OBFUSCATION  
    bitmask    4    
"C:\IMail\Declude\Sniffer\execode.exe mycode"    
6    0    SNIFFER-IP    
                     
     bitmask    8    
"C:\IMail\Declude\Sniffer\execode.exe mycode"    
4    0    SNIFFER-CASINO    
   
bitmask    16    "C:\IMail\Declude\Snifferexecode.exe 
mycode"    8    0    
...So if a test such as Sniffer returned a result code of 26, that 
would mean it hit SNIFFER-CASINO, SNIFFER-IP and 
SNIFFER-EXPERIMENTAL.That would be huge 
:)MattMatt wrote:
Yes, I would 
  be interested in this very much since it would greatly ease the 
  management, testing and reporting of such tests, and I have been working 
  on something myself that would be capable of returning both positive and 
  negative weights and I didn't want to be running it twice to get the 
  separation in log lines.Something else that is a bit OT regarding 
  external tests...I would be very interested in finding a way to run an 
  external test once and return multiple re

Re: Re[2]: [Declude.JunkMail] ANN: SPAMC32 (SpamAssassin SPAMC for Declude) 0.5.57 released

[Darin Cox]

Yep...that's what I said signed int loses a bit... I mentioned it
because I believe Declude probably uses signed ints, since there can be
positive or negative weighting...but you make a good point that if you're
using it for bitmasking, then you could probably use the full bitspace.

But the real question still remains of whether 2 or 4-byte ints are used.

Darin.


- Original Message - 
From: "Pete McNeil" <[EMAIL PROTECTED]>
To: "Darin Cox" <[EMAIL PROTECTED]>
Sent: Friday, November 05, 2004 10:38 AM
Subject: Re[2]: [Declude.JunkMail] ANN: SPAMC32 (SpamAssassin SPAMC for
Declude) 0.5.57 released


On Friday, November 5, 2004, 8:51:04 AM, Darin wrote:

DC> Also, I don't know for sure whether Scott or Pete  use
DC> unsigned 4-byte ints for the weights. Scott actually probably
DC> uses  signed ints, so you lose half of the bits...and if the
DC> weight is a 2-byte signed  int then the number of available bits
DC> drops to 15.

Actually, a signed int only loses a single bit, and only if you don't
want to allow the negative numbers --- so in reality all of the bits
in a bitmask type result _should_ be available -- that might be 32 or
16 as you point out. Most likely it's 32 bits since that's the default
these days.

_M



---
[This E-mail was scanned for viruses by Declude Virus
(http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

RE: [Declude.JunkMail] OT: expanding beyond one mailhost

[Colbeck, Andrew]

Thanks, Matt.

For myself, I also found that "DNS cacheing" and "failed domain skipping"
were good ideas in the lab, but bad in the real world.  I had turned them
off before I saw a problem with Hotmail.com, and later with Microsoft.com
itself.  It's a problem with Microsoft and with Ipswitch; Microsoft
advertises hosts that behave in one of two bad ways: there's no host there,
or there is a host but it doesn't accept mail.  In both cases, Ipswitch has
written IMail such that it handles the case badly, and tries to go to the
same host next time.

My workaround was to host dummy domains in my own local DNS, and only
populate their MX records with hosts that respond.  That's weak, because at
some point that list of hosts will change; meanwhile, it's worked great for
months now.  When that does happen, I'll make another trip to DNSReport.com
and see which hosts they have responding and what their names are (Microsoft
is also mixing up their revdns, helo and forward dns, or have no revdns at
all ... so I fix those up too... to avoid false positives on inbound ham...
yeesh).

On the other topic of expanding mailhosts, I pretty well understand my own
circumstances, but was fishing for experiences.  A smart man learns from his
own mistakes, a wise man learns from the mistakes of others, eh?

As another example, I was wondering if the question would turn up anybody's
negative experience in dealing with multiple declude logs, or your own
experience in spammers hitting your least preferred MX record, or
troubleshooting problems if everything has the same name and only the IP is
different ...

Andrew (there I go, fishing again!)


-Original Message-
From: Matt [mailto:[EMAIL PROTECTED] 
Sent: Friday, November 05, 2004 1:19 PM
To: [EMAIL PROTECTED]
Subject: Re: [Declude.JunkMail] OT: expanding beyond one mailhost


Colbeck, Andrew wrote:

>Thanks, everyone.
>
>I was hoping for more war stories, or specific gotchas with more ornate 
>configurations, so I'm suprised at the few responses.  For example, 
>I've noted that IMail has a queuing problem with HotMail advertising MX 
>servers that don't actually accept mail, or that don't exist, which 
>could come about with normal "downtime" on a mailhost that is still 
>advertised in DNS.
>  
>

The Hotmail issue is really an IMail issue where they poorly implemented 
'DNS caching' and 'failed domain skipping'.  When you turn these off, 
the Hotmail issue reportedly goes away, and I'm not aware of any 
advantages to using them considering that Declude does about 100 times 
the DNS lookups on my system without issue and without caching.  I'm not 
convinced that load balancing with multiple A records would resolve 
anything with this configuration either, so it is of no consequence 
either way as far as I can tell.  Hopefully others that might implement 
some form of DNS caching with failed domain skipping would see fit so as 
to not cache records that fail.

Your setup is just simply a matter of how much of your E-mail you would 
like to go to a particular IP, and if you wished to make use of extra 
weight for messages that bypass a higher priority for no good reason.  I 
doubt that anyone here has had any issues with either running stepped 
priorities or a single priority with round robin load balancing.

Matt

-- 
=
MailPure custom filters for Declude JunkMail Pro.
http://www.mailpure.com/software/
=

---
[This E-mail was scanned for viruses by Declude Virus
(http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To unsubscribe,
just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe
Declude.JunkMail".  The archives can be found at
http://www.mail-archive.com.
---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

Re: [Declude.JunkMail] Spammer in the news

[Bud Durland]

Mark E. Smith wrote:
Sorta' like living in a town that's driven by tourism and saying "I hate the
tourists". :)
 

Actually, we say "Since it's tourist season, what's the limit?"  ;)
--

For it's Tommy this, an' Tommy that, an' "Chuck him out, the brute!"
But it's "Saviour of 'is country" when the guns begin to shoot;
An' it's Tommy this, an' Tommy that, an' anything you please;
An' Tommy ain't a bloomin' fool -- you bet that Tommy sees!
-- Rudyard Kipling, "tommy"
-
Bud Durland, CNE   Mold-Rite Plastics
Network Administrator   http://www.mrpcap.com
-
---
[This E-mail scanned for viruses by Declude Virus / Sophos AV]
---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

Re: [Declude.JunkMail] OT: expanding beyond one mailhost

[Matt]

Colbeck, Andrew wrote:
Thanks, everyone.
I was hoping for more war stories, or specific gotchas with more ornate
configurations, so I'm suprised at the few responses.  For example, I've
noted that IMail has a queuing problem with HotMail advertising MX servers
that don't actually accept mail, or that don't exist, which could come about
with normal "downtime" on a mailhost that is still advertised in DNS.
 

The Hotmail issue is really an IMail issue where they poorly implemented 
'DNS caching' and 'failed domain skipping'.  When you turn these off, 
the Hotmail issue reportedly goes away, and I'm not aware of any 
advantages to using them considering that Declude does about 100 times 
the DNS lookups on my system without issue and without caching.  I'm not 
convinced that load balancing with multiple A records would resolve 
anything with this configuration either, so it is of no consequence 
either way as far as I can tell.  Hopefully others that might implement 
some form of DNS caching with failed domain skipping would see fit so as 
to not cache records that fail.

Your setup is just simply a matter of how much of your E-mail you would 
like to go to a particular IP, and if you wished to make use of extra 
weight for messages that bypass a higher priority for no good reason.  I 
doubt that anyone here has had any issues with either running stepped 
priorities or a single priority with round robin load balancing.

Matt
--
=
MailPure custom filters for Declude JunkMail Pro.
http://www.mailpure.com/software/
=
---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

RE: [Declude.JunkMail] OT: expanding beyond one mailhost

[Colbeck, Andrew]

Thanks, everyone.

I was hoping for more war stories, or specific gotchas with more ornate
configurations, so I'm suprised at the few responses.  For example, I've
noted that IMail has a queuing problem with HotMail advertising MX servers
that don't actually accept mail, or that don't exist, which could come about
with normal "downtime" on a mailhost that is still advertised in DNS.

Mark:

As Bonno remarked, the MX records won't be served up round robin style, just
the A records.  So if you really wanted to spread the load evenly across
your three big servers, you would instead:

Have a single primary MX record, e.g. inbound.example.com

Have 3 round robin A records pointing to the different IP addresses of your
servers.  The hostnames and HELO would no longer match, but I've never heard
about the sender being picky about such things.  You could of course
reconfigure your servers to match the HELO to their new A record.

You would leave the configuration of the 4th server as it has been already.

Microsoft's DNS does round robin automatically; LH Soft's Simple DNS Plus
will do it but the option has to be turned on.

If some other DNS service like BIND or djbdns does round robin on other
record types, that would be good to know...

Pete:

Thanks, "MX Classic" is probably what I'll do, depending on how the existing
MTA continues to scale.  I have the advantage of a private backbone and
geographically separate locations and separate ISPs that I can take
advantage of.

I suspect that I'll find it's easier to keep the bulk of the traffic coming
to my default location as an administrative convenience, even though if I
used round robin to split the traffic between the two locations, I'd find
some optimization on the private backbone, as 50% of the time, the stuff in
one region would just stay in that region.

Nick:

Thanks, it's nice to know who's in the business.  As it is, we're more of a
DIY shop.

Andrew 8)
---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

RE: [Declude.JunkMail] Spammer in the news

[Mark E. Smith]

What are we all going to do when there are no more spammers? :)

Sorta' like living in a town that's driven by tourism and saying "I hate the
tourists". :)



> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of Kevin Bilbee
> Sent: Friday, November 05, 2004 2:32 PM
> To: [EMAIL PROTECTED]
> Subject: [Declude.JunkMail] Spammer in the news
>
> http://biz.yahoo.com/fool/041105/1099675080_1.html
>
> Hurray
> ---
> [This E-mail was scanned for viruses by Declude Virus
> (http://www.declude.com)]
>
> ---
> This E-mail came from the Declude.JunkMail mailing list.  To
> unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
> type "unsubscribe Declude.JunkMail".  The archives can be
> found at http://www.mail-archive.com.
>


---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

[Declude.JunkMail] Spammer in the news

[Kevin Bilbee]

http://biz.yahoo.com/fool/041105/1099675080_1.html

Hurray
---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

Re[2]: [Declude.JunkMail] ANN: SPAMC32 (SpamAssassin SPAMC for Declude) 0.5.57 released

[Sanford Whiteman]

> Regarding  SPAMCHK I can't see any benefit for bitmask return codes.

Yeah, me neither with SPAMC32.

I  do like the positive/negative concept, and I'd go it one further: a
WEIGHTXn test type, which allows you to multiply the test result by n.

This would allow for negative returns:

SPAMCHK+ weight . . .
SPAMCHK- weightx-1 . . .

As  well as being helpful to those (like me) who use different scales,
like minimum weight 10 on all tests:

SPAMC32 weightx10 . . .

The  bitmask idea seems like trying to fit an elephant (verbose result
data)  onto  the  head  of  a  pin  (console  errorlevel).  There  are
definitely  better  ways  to pass robust data, such as Declude reading
from STDOUT. But I think STDOUT would also be a half-measure. My ideal
implementation for add-ons is a C library, which would of course allow
any  data  to be exchanged between Declude and the extension. I'm kind
of  surprised  that neither Barry nor Scott has mentioned this kind of
move,  which  I  think is a natural fit for whatever form Declude next
takes:  if  Declude is going to be persistent and multithreaded (which
doesn't  mean  that  it's  a  standalone  MTA, just that it plugs into
MTA(s)  that  use  the  library model), rather than multiprocess, it's
looking backward to require all add-ons to be multiprocess.

--Sandy



Sanford Whiteman, Chief Technologist
Broadleaf Systems, a division of
Cypress Integrated Systems, Inc.
e-mail: [EMAIL PROTECTED]

SpamAssassin plugs into Declude!
  http://www.mailmage.com/products/software/freeutils/SPAMC32/download/release/

Defuse Dictionary Attacks: Turn Exchange or IMail mailboxes into IMail Aliases!
  
http://www.mailmage.com/products/software/freeutils/exchange2aliases/download/release/
  http://www.mailmage.com/products/software/freeutils/ldap2aliases/download/release/

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

re: [Declude.JunkMail] Huge increase in spam in the last 2 days

[Joshua Levitsky]

From: "Darin Cox" <[EMAIL PROTECTED]>Sent: Friday, November 05, 2004 8:30 AMTo: [EMAIL PROTECTED]Subject: [Declude.JunkMail] Huge increase in spam in the last 2 days Anyone else seeing this?  Wednesday our incoming spam increased by about 80%, and yesterday it increased another 50%...so there was a total of about a 120% increase in two days.   Someone's been busy.  Also, a lot more zombie spam... Darin.    

Re: [Declude.JunkMail] Bitmasking

[Scott Fisher]

I think the potential to bitmask is a good idea.
I agree that if something that hit two or more Sniffer results, I would be
more tempted to punish harder.

Unfortunately I don't think we are going to see many Declude enhancements in
the near future.
I imagine they are programming like gang-busters to provide the non-Imail
versions.


- Original Message - 
From: "Matt" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Friday, November 05, 2004 10:00 AM
Subject: Re: [Declude.JunkMail] ANN: SPAMC32 (SpamAssassin SPAMC for
Declude) 0.5.57 released


> Pete McNeil wrote:
>
> >I'm not sure this is really going to be that useful - certainly it
> >would be more complex - but if enough people are interested in the
> >feature then I would build it.
> >
> >
> I think this would be most useful in combining hits for SNIFFER-IP
> and/or SNIFFER-EXPERIMENTAL with categorized spam.  My review of one
> day's logs showed an average of 3 individual hits for each final spam
> result, albeit there probably were many examples of multiple hits within
> a single category which might make the average closer to 2 individual
> result codes for each final spam result.
>
> I've noted that the majority of the false positives that I have reported
> have been single hits, and that suggests that by lowering the weight of
> each individual result, one could help protect from false positives
> while scoring most hits at a higher total weight generated by Sniffer.
> Naturally the config would be optional to your users, especially on
> systems that wouldn't support the bitmask (probably only Declude and
> SpamAssassin would be candidates without influence to other companies).
>
> You certainly should know your own rules better than anyone.  A sampling
> of logs I believe would generate something more conclusive and
> scientific, though I don't think that's necessary for myself.  Someone
> could probably grep out the number of times that a final result happened
> with multiple different result codes and give a hard number for the
average.
>
> This would also in part solve some of the predominance issues so that it
> wouldn't matter if IP rules took precedence to GENERAL rules under
> normal circumstances, which isn't necessarily desired based on previous
> discussions.
>
> There are certainly other applications for this, for instance SpamChk
> might be able to make better use of this sort of system, and maybe Sandy
> could code up his SpamAssassin connector to make use of this as well.  I
> certainly would like to be able to write a single test that parses the
> E-mail and shares this work over multiple result codes as opposed to
> maintaining two sets of code and having to launch the processes twice.
>
> I pushed the idea for Sniffer because it seemed that there was some
> interest in weighting multiple hits differently in the past based on our
> discussions and such a change would have the widest appeal among the
> Declude customer base.  Despite the fact that you are willing given a
> demand, Declude would also have to support this, though I'm sure that
> you have more influence over that than users like myself.
>
> So I guess there are two things that are left to determine:
>
> 1) Do other people want this functionality in external apps such as
> Sniffer (please speak up if either for or against being able to score
> multiple hits)?
> 2) Would Declude be willing to introduce the functionality?
>
> I would be curious about what Marcus' and Sandy's feelings were in
> relation to their own apps as well.
>
> Matt
>
> -- 
> =
> MailPure custom filters for Declude JunkMail Pro.
> http://www.mailpure.com/software/
> =
>
> ---
> [This E-mail was scanned for viruses by Declude Virus
(http://www.declude.com)]
>
> ---
> This E-mail came from the Declude.JunkMail mailing list.  To
> unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
> type "unsubscribe Declude.JunkMail".  The archives can be found
> at http://www.mail-archive.com.
>

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

RE: [Declude.JunkMail] OT: expanding beyond one mailhost

[Mark E. Smith]

Will having a mis-matched round-robin MX record vs. HELO on the SMTP server
cause any issues with Spam filters?

IOW, Let's say I setup 1 MX entry:

MX - MX.domain.com (Pref 10)

Then Round robin:
A - MX.domain.com - 192.168.100.1
A - MX.domain.com - 192.168.100.2
A - MX.domain.com   - 192.168.100.3

The 3 MX servers will have a HELO string of MX1.domain.com, MX2.domain.com,
MX3.domain.com

Will that mis-match cause a problem?

NOTE: Our MX servers don't send email OUT of our domain. They only receive
email.



> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of Nick
> Sent: Friday, November 05, 2004 8:44 AM
> To: [EMAIL PROTECTED]
> Subject: Re: [Declude.JunkMail] OT: expanding beyond one mailhost
>
> On 4 Nov 2004 at 16:01, Colbeck, Andrew wrote:
>
> Hi Andrew -
>
> > An Off Topic thread ...
> >
> > On various domains I administer, a single point of failure mailhost
> > has been good enough, but I'm shortly going to add a second
> host on a
> > second network for redundancy.
> If you are looking for a location or simply a backup mx
> please contact me off list. I do backup mx's & colos even for
> others on this list  :)
>
>  a classic MX = 10 and MX = 20 with a separate A
> > record for each.
> This is the way I suggest - as Pete stated:
> "This approach is well understood and time tested... not much
> to go wrong IMO."
>
> -Nick
>
> ---
> [This E-mail was scanned for viruses by Declude Virus
> (http://www.declude.com)]
>
> ---
> This E-mail came from the Declude.JunkMail mailing list.  To
> unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
> type "unsubscribe Declude.JunkMail".  The archives can be
> found at http://www.mail-archive.com.
>


---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

[Declude.JunkMail] ActiveInternet

[John Tolmachoff \(Lists\)]

www.activeinternet.com

They claim they are great at spam fighting using SpamAssasin.

However, they do not know what they are doing.

They are sending a Challenge/Response to forged senders:
__

This message has been quarantined and is awaiting review by the recipient.
If
you wish to speed the delivery of this message, please click on the link
below. You will have to input the password displayed on the screen.

This is a one time process that will add you to the receipents address book
and all future E-mails will automatically go through.

http://activeinternet.com/NoSpam/ImageForm.aspx?MessageID=spam-984af10
03d609be910100411ae72dbf4-16606-12.bsmtp&EmailAddress=<[EMAIL PROTECTED]
moc>">www.ActiveInternet.Com/NoSpam


Subject: Lowest Price on prescriptio'n
Return-Path: <[EMAIL PROTECTED]>

Delivery of the email was stopped!

=_1099641923-16606-17
Content-Type: message/delivery-status
Content-Disposition: inline
Content-Transfer-Encoding: 7bit
Content-Description: Delivery error report

Reporting-MTA: dns; troy.activeinternet.com
Received-From-MTA: smtp; Troy.activeinternet.com ([127.0.0.1])
Arrival-Date: Fri,  5 Nov 2004 02:05:20 -0600 (CST)

Final-Recipient: rfc822; [EMAIL PROTECTED]
Action: failed
Status: 5.7.1
Diagnostic-Code: smtp; 550 5.7.1 Message content rejected, UBE, id=16606-12
Last-Attempt-Date: Fri,  5 Nov 2004 02:05:23 -0600 (CST)

Final-Recipient: rfc822; [EMAIL PROTECTED]
Action: failed
Status: 5.7.1
Diagnostic-Code: smtp; 550 5.7.1 Message content rejected, UBE, id=16606-12
Last-Attempt-Date: Fri,  5 Nov 2004 02:05:23 -0600 (CST)

Final-Recipient: rfc822; [EMAIL PROTECTED]
Action: failed
Status: 5.7.1
Diagnostic-Code: smtp; 550 5.7.1 Message content rejected, UBE, id=16606-12
Last-Attempt-Date: Fri,  5 Nov 2004 02:05:23 -0600 (CST)

Final-Recipient: rfc822; [EMAIL PROTECTED]
Action: failed
Status: 5.7.1
Diagnostic-Code: smtp; 550 5.7.1 Message content rejected, UBE, id=16606-12
Last-Attempt-Date: Fri,  5 Nov 2004 02:05:23 -0600 (CST)

Final-Recipient: rfc822; [EMAIL PROTECTED]
Action: failed
Status: 5.7.1
Diagnostic-Code: smtp; 550 5.7.1 Message content rejected, UBE, id=16606-12
Last-Attempt-Date: Fri,  5 Nov 2004 02:05:23 -0600 (CST)

=_1099641923-16606-17
Content-Type: text/rfc822-headers
Content-Disposition: inline
Content-Transfer-Encoding: 7bit
Content-Description: Undelivered-message headers

Received: from 200-207-167-39.dsl.telesp.net.br
(200-207-167-39.dsl.telesp.net.br [200.207.167.39])
by Troy.activeinternet.com (Postfix) with SMTP id 866105EC073;
Fri,  5 Nov 2004 02:04:49 -0600 (CST)
Received: from mail2.chicagonet.net by 12.60.200.228 with Microsoft ESMTPSVC
id =; Sat, 06 Nov 2004 02:57:19 +0400
Subject: Lowest Price on prescriptio'n
Date: Fri, 05 Nov 2004 22:01:19 -0100
From: "Marcel Kyle" <[EMAIL PROTECTED]>
Message-Id: <[EMAIL PROTECTED]> 
To: [EMAIL PROTECTED]
MIME-Version: 1.0 
Content-Type: multipart/alternative; 
 boundary="--0-01-071-9199-30372821271550" 

=_1099641923-16606-17--

John Tolmachoff
Engineer/Consultant/Owner
eServices For You


---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

Re: [Declude.JunkMail] ANN: SPAMC32 (SpamAssassin SPAMC for Declude) 0.5.57 released

[Matt]

Markus Gufler wrote:
The only thing that would be usefull is, if we can differentiate between
positive and negative results. Or in other words: If we want to combine or
analyze SpamChk results it's not so important if the result was +10 or +40.
But it's a big difference if the result was -10 or +10.
 

If you were willing to define the weights to result codes within your 
app, you could generate both positive and negative weights with 
different test names using a bitmask.  It all depends on how variable 
your weighting system is and whether or not it mattered to step them 
(which it likely would not).  For instance, you could do the following:

   SPAMCHK-PASS(5)   bitmask   -4 "C:\IMail\Declude\spamchk.exe"
0-5
   SPAMCHK-PASS(3)   bitmask   -2 "C:\IMail\Declude\spamchk.exe"
0-3
   SPAMCHK-PASS(1)   bitmask   -1 "C:\IMail\Declude\spamchk.exe"
0-1
   SPAMCHK-FAIL(1)bitmask   1  
"C:\IMail\Declude\spamchk.exe"10
   SPAMCHK-FAIL(3)bitmask   2  
"C:\IMail\Declude\spamchk.exe"30
   SPAMCHK-FAIL(5)bitmask   4  
"C:\IMail\Declude\spamchk.exe"50
   ...

This is different from how Sniffer would work because it sounds like you 
only desire one final result, but you want to have it return a weight 
plus an indication of pass or fail.  You would create a routine that 
mapped the desired weights to a whole bit value in the result code.

The idea of weight- and weight+ would be more appropriate to your needs 
however, and it would require no change on your part.  Sorry to have 
stolen your thread with an alternative idea.  Implementing weight- and 
weight+ would be much easier to implement it would seem, but limited in 
applicability.

I'm not sure if signed variables could do this for us by using a bitmask
tecnique. And I'm also not sure if it's tecnicaly possible to use bitmasks
since the current interface for external tests is the DOS exit-code. As I
know a value between 0 and 255 ... nothing more.
 

I believe that this is only a limitation of batch files with the 
ERRORLEVEL variable.  While that would give you potentially 8 values, I 
don't believe that the limitation is anywhere near as severe if it 
exists at all with other environments.  WScript seems to support 4-byte 
integers, although they are half negative and half positive so that 
might limit them to being 16 bits/bitmap results without a function to 
remap these in Declude, but I'm not sure if that is required, and I 
don't think that 16 positive and 16 negative results would be a 
hindrance for people.

Matt
--
=
MailPure custom filters for Declude JunkMail Pro.
http://www.mailpure.com/software/
=
---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

RE: [Declude.JunkMail] ANN: SPAMC32 (SpamAssassin SPAMC for Declude) 0.5.57 released

[Markus Gufler]

> 1) Do other people want this functionality in external 
> apps such as Sniffer (please speak up if either for or 
> against being able to score multiple hits)?
> 2) Would Declude be willing to introduce the functionality?

Regarding SPAMCHK I can't see any benefit for bitmask return codes. We
understand SPAMCHK as a little crowd of content based tests like already
existing ones (BASE64, SPAMHEADERS or similar)
So the cumulative result of this SpamChk-tests would be a certain weight
that will become part of Declude's final weight.

The only thing that would be usefull is, if we can differentiate between
positive and negative results. Or in other words: If we want to combine or
analyze SpamChk results it's not so important if the result was +10 or +40.
But it's a big difference if the result was -10 or +10.

I'm not sure if signed variables could do this for us by using a bitmask
tecnique. And I'm also not sure if it's tecnicaly possible to use bitmasks
since the current interface for external tests is the DOS exit-code. As I
know a value between 0 and 255 ... nothing more.

Markus


---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

Re: [Declude.JunkMail] ANN: SPAMC32 (SpamAssassin SPAMC for Declude) 0.5.57 released

[Matt]

Pete McNeil wrote:
I'm not sure this is really going to be that useful - certainly it
would be more complex - but if enough people are interested in the
feature then I would build it.
 

I think this would be most useful in combining hits for SNIFFER-IP 
and/or SNIFFER-EXPERIMENTAL with categorized spam.  My review of one 
day's logs showed an average of 3 individual hits for each final spam 
result, albeit there probably were many examples of multiple hits within 
a single category which might make the average closer to 2 individual 
result codes for each final spam result.

I've noted that the majority of the false positives that I have reported 
have been single hits, and that suggests that by lowering the weight of 
each individual result, one could help protect from false positives 
while scoring most hits at a higher total weight generated by Sniffer.  
Naturally the config would be optional to your users, especially on 
systems that wouldn't support the bitmask (probably only Declude and 
SpamAssassin would be candidates without influence to other companies).

You certainly should know your own rules better than anyone.  A sampling 
of logs I believe would generate something more conclusive and 
scientific, though I don't think that's necessary for myself.  Someone 
could probably grep out the number of times that a final result happened 
with multiple different result codes and give a hard number for the average.

This would also in part solve some of the predominance issues so that it 
wouldn't matter if IP rules took precedence to GENERAL rules under 
normal circumstances, which isn't necessarily desired based on previous 
discussions.

There are certainly other applications for this, for instance SpamChk 
might be able to make better use of this sort of system, and maybe Sandy 
could code up his SpamAssassin connector to make use of this as well.  I 
certainly would like to be able to write a single test that parses the 
E-mail and shares this work over multiple result codes as opposed to 
maintaining two sets of code and having to launch the processes twice.

I pushed the idea for Sniffer because it seemed that there was some 
interest in weighting multiple hits differently in the past based on our 
discussions and such a change would have the widest appeal among the 
Declude customer base.  Despite the fact that you are willing given a 
demand, Declude would also have to support this, though I'm sure that 
you have more influence over that than users like myself.

So I guess there are two things that are left to determine:
   1) Do other people want this functionality in external apps such as 
Sniffer (please speak up if either for or against being able to score 
multiple hits)?
   2) Would Declude be willing to introduce the functionality?

I would be curious about what Marcus' and Sandy's feelings were in 
relation to their own apps as well.

Matt
--
=
MailPure custom filters for Declude JunkMail Pro.
http://www.mailpure.com/software/
=
---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

Re: [Declude.JunkMail] Sample Configs

[Matt]

It's been my experience that such requests aren't generally answered, at 
least on the list.  More specific requests such as "what DUL lists are 
you using" however generally get answered.  The issue is probably 
related to people not wanting to give away all of their own work.  
Besides, you would otherwise get as many different answers as replies, 
and it would still come down to you making a choice and needing to be 
more informed about what to do.

My first suggestion for anyone running Declude would be to get Sniffer 
(http://www.sortmonster.com).  It's reasonably priced and Sniffer alone 
can tag +95% of your spam with +99.8% accuracy.  The instructions might 
be a little bit confusing at first, but if you make the commitment to do 
this, there are plenty that will help you get it configured.

Matt

Imail_Forum wrote:
Hello,
  Just signed back up for this list again.  I was wondering if people could
share some sample default junkmail files and cfg files?   I am using Declude
for anti-spam only as of now and would be interested in seeing how other
people are setting theirs up.  Our current config is working pretty good,
but would love to make it better.
Thanks,
Mark Mitchell
Inwave Internet Inc.
---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.
 

--
=
MailPure custom filters for Declude JunkMail Pro.
http://www.mailpure.com/software/
=
---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

Re[2]: [Declude.JunkMail] ANN: SPAMC32 (SpamAssassin SPAMC for Declude) 0.5.57 released

[Pete McNeil]

On Friday, November 5, 2004, 8:51:04 AM, Darin wrote:

DC> Also, I don't know for sure whether Scott or Pete  use
DC> unsigned 4-byte ints for the weights.  Scott actually probably
DC> uses  signed ints, so you lose half of the bits...and if the
DC> weight is a 2-byte signed  int then the number of available bits
DC> drops to 15.

Actually, a signed int only loses a single bit, and only if you don't
want to allow the negative numbers --- so in reality all of the bits
in a bitmask type result _should_ be available -- that might be 32 or
16 as you point out. Most likely it's 32 bits since that's the default
these days.

_M



---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

Re[2]: [Declude.JunkMail] ANN: SPAMC32 (SpamAssassin SPAMC for Declude) 0.5.57 released

[Pete McNeil]

On Friday, November 5, 2004, 8:53:41 AM, Matt wrote:

M> Pete,

M> I'm sure that you would make this optional regardless, but the 
M> functionality would definitely far outweigh the minor bit of confusion
M> when looking at the logs.  If you simply published a map of the bits to
M> the result code logged, that would be plenty fine as far as I'm 

If this gets done then the logs would probably stay the same as they
are and they would indicate the normal voting process used my Sniffer.
The numeric result actually returned by the utility would be built up
from a bit map that you would create in the .cfg file.

I'm not sure this is really going to be that useful - certainly it
would be more complex - but if enough people are interested in the
feature then I would build it.

M> I think the key here is whether or not you think this would enhance
M> Sniffer as a spam blocking mechanism, and whether or not Declude would
M> honor a request to implement this functionality.  It seems to me like it
M> might be relatively easy to implement on your part, and possibly even
M> easier on the Declude side.

It's not trivial, but it's not rocket science either.

_M



---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

Re[2]: [Declude.JunkMail] Sniffer Bitmasks Suggestion?

[Pete McNeil]

On Friday, November 5, 2004, 9:44:41 AM, Andy wrote:

AS> Matt/Pete:
AS>  
AS> I may  not have understood your specific problem.  But it's
AS> no clear in my mind,  what this would gain.
AS>  
AS> Here  is my sniffer configuration.  It already allows me to
AS> score each result  code that it returns?



AS> I  can't see what difference it makes whether the syntax is
AS> "external 052" or  "bitmask 1" - it seems like it would be
AS> one-to-one relationship from sniffer  return code to bitmask?

Under the covers Message Sniffer will match many patterns in each
message. Normally the Result Processor will select a single pattern
match to return so there is only one result per message.



Matt would like to have access to all of the rule groups that matched
a particular message rather than the one selected by the Result
Processor.

He believes that the extra detail will provide him with the ability to
generate more accurate results.

Hope this helps,
_M



---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

Re: [Declude.JunkMail] LOG Levels

[Scott Fisher]

If you can handle an Access 2002 DB, I posted a link at the bottom of my
webpage:
http://it.farmprogress.com/declude/declude.htm

The advantage of the db over the code is you can see the table defs. If you
can't handle Access, let me know.

- Original Message - 
From: "Serge" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Thursday, November 04, 2004 9:34 PM
Subject: Re: [Declude.JunkMail] LOG Levels


> scott
> thanks for the offer
> i'm more a foxpro guy
> but i suppose the access code will be easy to translate
> would appreciate if you email the code
>
>
> - Original Message - 
> From: "Scott Fisher" <[EMAIL PROTECTED]>
> To: <[EMAIL PROTECTED]>
> Sent: Friday, November 05, 2004 2:32 AM
> Subject: RE: [Declude.JunkMail] LOG Levels
>
>
> > If you are interested, I have Microsoft Access 2002 VBA code that
imports
> > the logs into Microsoft Access Databases. Link in a SQL Database instead
> > and you can import to SQL I presume.
> > This code has been working pretty well for months for me.
> >
> > I have individual code for the Declude Virus, Declude Junkmail and for
> > Spamchk.
> >
> > As much as the other tools are interesting, nothing beats a database for
> > it's in depth ability to look at different data elements.
> >
> > -- Original Message --
> > From: "Mark E. Smith" <[EMAIL PROTECTED]>
> > Reply-To: [EMAIL PROTECTED]
> > Date:  Thu, 4 Nov 2004 15:55:35 -0500
> >
> >>We have 4 inbound equal MX servers each with 250-350 per day so we're
> >>about
> >>the same in net-net load.
> >>I started writing a log parsing program that will consolidate the logs
and
> >>insert them into a central SQL database.
> >>That way I'll be able to do a query on a message and debug much easier.
> >>
> >>The problem right now is loading a 350mb (let alone 1.6GB) file with
> >>notepad. :)
> >>
> >>
> >>> -Original Message-
> >>> From: [EMAIL PROTECTED]
> >>> [mailto:[EMAIL PROTECTED] On Behalf Of Glenn \ WCNet
> >>> Sent: Thursday, November 04, 2004 3:24 PM
> >>> To: [EMAIL PROTECTED]
> >>> Subject: Re: [Declude.JunkMail] LOG Levels
> >>>
> >>> My Declude logs at HIGH range between 1.2 and 1.6 GIGABYTES.
> >>> The log for
> >>> 11/3 is 1,701,795 KB.
> >>>
> >>>
> >>> - Original Message -
> >>> From: "Mark E. Smith" <[EMAIL PROTECTED]>
> >>> To: <[EMAIL PROTECTED]>
> >>> Sent: Thursday, November 04, 2004 9:03 AM
> >>> Subject: [Declude.JunkMail] LOG Levels
> >>>
> >>>
> >>> > I've always used LOGLEVEL HIGH on my systems but I'm
> >>> reconsidering that
> >>> > these days since our logs are running 250mb - 350mb.
> >>> >
> >>> > I use a number of log reports (DLAnalyizer, etc)
> >>> >
> >>> > If I switch to LOGLEVEL MID will I lose anything in my log reporting
> >>> utils?
> >>> >
> >>> >
> >>> > ---
> >>> > [This E-mail was scanned for viruses by Declude Virus
> >>> (http://www.declude.com)]
> >>> >
> >>> > ---
> >>> > This E-mail came from the Declude.JunkMail mailing list.  To
> >>> > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
> >>> > type "unsubscribe Declude.JunkMail".  The archives can be found
> >>> > at http://www.mail-archive.com.
> >>> >
> >>>
> >>> ---
> >>> [This E-mail was scanned for viruses by Declude Virus
> >>> (http://www.declude.com)]
> >>>
> >>> ---
> >>> This E-mail came from the Declude.JunkMail mailing list.  To
> >>> unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
> >>> type "unsubscribe Declude.JunkMail".  The archives can be found
> >>> at http://www.mail-archive.com.
> >>>
> >>
> >>
> >>---
> >>[This E-mail was scanned for viruses by Declude Virus
> >>(http://www.declude.com)]
> >>
> >>---
> >>This E-mail came from the Declude.JunkMail mailing list.  To
> >>unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
> >>type "unsubscribe Declude.JunkMail".  The archives can be found
> >>at http://www.mail-archive.com.
> >>
> >
> > ---
> > [This E-mail was scanned for viruses by Declude Virus
> > (http://www.declude.com)]
> >
> > ---
> > This E-mail came from the Declude.JunkMail mailing list.  To
> > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
> > type "unsubscribe Declude.JunkMail".  The archives can be found
> > at http://www.mail-archive.com.
> >
>
>
> ---
> [This E-mail was scanned for viruses by Declude Virus
(http://www.declude.com)]
>
> ---
> This E-mail came from the Declude.JunkMail mailing list.  To
> unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
> type "unsubscribe Declude.JunkMail".  The archives can be found
> at http://www.mail-archive.com.
>

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

[Declude.JunkMail] DNSREPORT - site down?

[Andy Schmidt]

Title: Message





DNS Report for microsoft.com
Generated by www.DNSreport.com at 
15:26:05 GMT on 05 Nov 2004.

[ERROR: Timed out getting NS data from parent 
server]

Re: [Declude.JunkMail] ANN: SPAMC32 (SpamAssassin SPAMC for Declude) 0.5.57 released

[Scott Fisher]

I believe some ip4r return bitmasks 
too:
Blitzedall. (the test is 99.8 percent efffective, 
so I don't see potential for much improvement).
BLARS. (not used by me since it is not effective. 
Maybe some of the bitmasking would help?)
 
If we are on the dreaming subject for the future, 
the multi.surbl.org SURBL would be an excellent fit for bitmasks 
too.
 

  - Original Message - 
  From: 
  Matt 
  To: [EMAIL PROTECTED] 
  
  Sent: Friday, November 05, 2004 8:04 
  AM
  Subject: Re: [Declude.JunkMail] ANN: 
  SPAMC32 (SpamAssassin SPAMC for Declude) 0.5.57 released
  Darin,Correct me if I'm wrong, but I was expecting that 
  this would only be internal to one external test at one time and have no 
  effect on anything else, i.e. DNSBL's.  So the only limitation would be 
  32 result codes for each external test which is workable.  I would also 
  imagine that a different variable type could be used for a 'bitmask' type 
  rather than a 'nonzero',  'weight' or 'external' 
  type.MattDarin Cox wrote:
  

Certainly...I was thinking of it in the broader 
sense, though.  For example, we run more than 32 tests within Declude, 
so it would only work for us if we culled the list down a bit, which we 
could probably do quite easily with a lot of the DNSBLs that rarely get hit 
and are almost always covered by others.
 
Also, I don't know for sure whether Scott or 
Pete use unsigned 4-byte ints for the weights.  Scott actually probably 
uses signed ints, so you lose half of the bits...and if the weight is a 
2-byte signed int then the number of available bits drops to 
15.
Darin.
 
 
- 
Original Message - 
From: 
Matt 

To: [EMAIL PROTECTED] 

Sent: Friday, November 05, 2004 8:41 AM
Subject: Re: [Declude.JunkMail] ANN: SPAMC32 (SpamAssassin SPAMC 
for Declude) 0.5.57 released
I could deal with 32 result codes for a single test 
:)I'm hoping that Pete will weigh in on this.  We had a 
discussion once about how to weight multiple hits, and he was leaning 
towards an internal probability based method, but this would give us far 
more flexibility as administrators IMO.Yesterday on my system 
Sniffer returned 118,909 results (clean and failed), and of the 104,942 
failed result codes, there were a total of 316,206 result codes meaning an 
average of just about 3 result codes for each time a message failed 
Sniffer.  I was careful not to double count the final result with each 
result code.Being able to get an average of 3 Sniffer hits per 
message would allow me to reduce the weights slightly to protect from false 
positives, and end up scoring spam with much higher weights as a 
result.  This would help my system immensely.I could also use 
this for my own programming, but enhancing Sniffer in this way would have 
broad implications across Declude's customer 
base.MattDarin Cox wrote:

  
  

  This is the same idea I mentioned a year 
  ago when we were all talking about combo tests in 
  Decludeonly problem being if you use more unique tests than the 
  numeric type supported.  Assuming the weight/bitmask number is a 
  4-byte unsigned int, then we have a maximum of 32 tests.
  Darin.
   
   
  - 
  Original Message - 
  From: 
  Matt 
  
  To: [EMAIL PROTECTED] 
  
  Sent: Friday, November 05, 2004 7:35 AM
  Subject: Re: [Declude.JunkMail] ANN: SPAMC32 (SpamAssassin 
  SPAMC for Declude) 0.5.57 released
  If you don't mind me expanding on the bitmask 
  ideaSniffer users would benefit from this greatly as many spams fail 
  multiple Sniffer tests.  This would allow us to score each result 
  code that it returned, i.e.    
  SNIFFER-GENERAL       
      bitmask    1    
  "C:\IMail\Declude\Sniffer\execode.exe mycode"    
  6    0     
  SNIFFER-EXPERIMENTAL    bitmask    2    
  "C:\IMail\Declude\Sniffer\execode.exe mycode"    
  6    0    SNIFFER-OBFUSCATION  
      bitmask    4    
  "C:\IMail\Declude\Sniffer\execode.exe mycode"    
  6    0    SNIFFER-IP    
                    
          bitmask    8    
  "C:\IMail\Declude\Sniffer\execode.exe mycode"    
  4    0    
  SNIFFER-CASINO    
     
  bitmask    16    "C:\IMail\Declude\Snifferexecode.exe 
  mycode"    8    0    
  ...So if a test such as Sniffer returned a result code of 26, that 
  would mean it hit SNIFFER-CASINO, SNIFFER-IP and 
  SNIFFER-EXPERIMENTAL.That would be huge 
  :)MattMatt wrote:
  Yes, I 
would be interested in this very much since it would greatly ease the 
management, testing and reporting of such tests, and I have been working 
on something myself that would be capable of returning both positive and 
nega

RE: [Declude.JunkMail] Huge increase in spam in the last 2 days

[Markus Gufler]

Not really.
There was a slight increase of around 5% for the last two 
days. 
 
Markus
 
 

  
  
  From: [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED] On Behalf Of Darin 
  CoxSent: Friday, November 05, 2004 2:27 PMTo: 
  [EMAIL PROTECTED]Subject: [Declude.JunkMail] Huge 
  increase in spam in the last 2 days
  
  Anyone else seeing this?  Wednesday our 
  incoming spam increased by about 80%, and yesterday it increased another 
  50%...so there was a total of about a 120% increase in two days.
   
  Someone's been busy.  Also, a lot more 
  zombie spam...
  Darin.
   
   

RE: [Declude.JunkMail] Sniffer Bitmasks Suggestion?

[Andy Schmidt]

Title: Message



Matt/Pete:
 
I may 
not have understood your specific problem.  But it's no clear in my mind, 
what this would gain.
 
Here 
is my sniffer configuration.  It already allows me to score each result 
code that it returns?
 
SNIFFER  external  nonzero "sniffer.exe licensecode" 6 
0
 
SNIFFER-SNAKE external  052 "sniffer.exe licensecode" 1 
0SNIFFER-SCAMS  external  053 "sniffer.exe licensecode" 2 
0SNIFFER-PORN external  054 "sniffer.exe licensecode" 2 
0SNIFFER-MALWARE external  055 "sniffer.exe licensecode" 3 
0SNIFFER-IP  external  060 "sniffer.exe licensecode" -2 
0SNIFFER-OBFUSC  external  061 "sniffer.exe licensecode" 2 
0SNIFFER-HEUR  external  062 "sniffer.exe licensecode" 1 
0
 
I 
can't see what difference it makes whether the syntax is "external 052" or 
"bitmask 1" - it seems like it would be one-to-one relationship from sniffer 
return code to bitmask?

Best 
RegardsAndy SchmidtH&M Systems Software, Inc.600 East Crescent 
Avenue, Suite 203Upper Saddle River, NJ 07458-1846Phone:  +1 201 934-3414 x20 
(Business)Fax:    +1 201 934-9206http://www.HM-Software.com/ 

  
  -Original Message-From: 
  [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
  On Behalf Of MattSent: Friday, November 05, 2004 07:35 
  AMTo: [EMAIL PROTECTED]Subject: Re: 
  [Declude.JunkMail] ANN: SPAMC32 (SpamAssassin SPAMC for Declude) 0.5.57 
  releasedIf you don't mind me expanding on the bitmask 
  ideaSniffer users would benefit from this greatly as many spams fail 
  multiple Sniffer tests.  This would allow us to score each result code 
  that it returned, i.e.    
  SNIFFER-GENERAL         
    bitmask    1    
  "C:\IMail\Declude\Sniffer\execode.exe mycode"    
  6    0     
  SNIFFER-EXPERIMENTAL    bitmask    2    
  "C:\IMail\Declude\Sniffer\execode.exe mycode"    
  6    0    SNIFFER-OBFUSCATION  
      bitmask    4    
  "C:\IMail\Declude\Sniffer\execode.exe mycode"    
  6    0    SNIFFER-IP    
                       
       bitmask    8    
  "C:\IMail\Declude\Sniffer\execode.exe mycode"    
  4    0    SNIFFER-CASINO    
     
  bitmask    16    "C:\IMail\Declude\Snifferexecode.exe 
  mycode"    8    0    
  ...So if a test such as Sniffer returned a result code of 26, that 
  would mean it hit SNIFFER-CASINO, SNIFFER-IP and 
  SNIFFER-EXPERIMENTAL.That would be huge 
:)Matt

[Declude.JunkMail] Sample Configs

[Imail_Forum]

Hello,

   Just signed back up for this list again.  I was wondering if people could
share some sample default junkmail files and cfg files?   I am using Declude
for anti-spam only as of now and would be interested in seeing how other
people are setting theirs up.  Our current config is working pretty good,
but would love to make it better.

Thanks,
Mark Mitchell
Inwave Internet Inc.


---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

Re: [Declude.JunkMail] ANN: SPAMC32 (SpamAssassin SPAMC for Declude) 0.5.57 released

[Matt]

Darin,

Correct me if I'm wrong, but I was expecting that this would only be
internal to one external test at one time and have no effect on
anything else, i.e. DNSBL's.  So the only limitation would be 32 result
codes for each external test which is workable.  I would also imagine
that a different variable type could be used for a 'bitmask' type
rather than a 'nonzero',  'weight' or 'external' type.

Matt



Darin Cox wrote:

  
  
  
  Certainly...I was thinking of it in
the broader sense, though.  For example, we run more than 32 tests
within Declude, so it would only work for us if we culled the list down
a bit, which we could probably do quite easily with a lot of the DNSBLs
that rarely get hit and are almost always covered by others.
   
  Also, I don't know for sure whether
Scott or Pete use unsigned 4-byte ints for the weights.  Scott actually
probably uses signed ints, so you lose half of the bits...and if the
weight is a 2-byte signed int then the number of available bits drops
to 15.
  
Darin.
   
   
  -
Original Message -
  From:
  Matt
  
  To: [EMAIL PROTECTED]
  
  Sent: Friday, November 05, 2004 8:41 AM
  Subject: Re: [Declude.JunkMail] ANN: SPAMC32
(SpamAssassin SPAMC for Declude) 0.5.57 released
  
  
  
I could deal with 32 result codes for a single test :)
  
I'm hoping that Pete will weigh in on this.  We had a discussion once
about how to weight multiple hits, and he was leaning towards an
internal probability based method, but this would give us far more
flexibility as administrators IMO.
  
Yesterday on my system Sniffer returned 118,909 results (clean and
failed), and of the 104,942 failed result codes, there were a total of
316,206 result codes meaning an average of just about 3 result codes
for each time a message failed Sniffer.  I was careful not to double
count the final result with each result code.
  
Being able to get an average of 3 Sniffer hits per message would allow
me to reduce the weights slightly to protect from false positives, and
end up scoring spam with much higher weights as a result.  This would
help my system immensely.
  
I could also use this for my own programming, but enhancing Sniffer in
this way would have broad implications across Declude's customer base.
  
Matt
  
  
  
Darin Cox wrote:
  


This is the same idea I mentioned
a year ago when we were all talking about combo tests in
Decludeonly problem being if you use more unique tests than the
numeric type supported.  Assuming the weight/bitmask number is a 4-byte
unsigned int, then we have a maximum of 32 tests.

Darin.
 
 
-
Original Message -
From:
Matt

To: [EMAIL PROTECTED]

Sent: Friday, November 05, 2004 7:35 AM
Subject: Re: [Declude.JunkMail] ANN: SPAMC32
(SpamAssassin SPAMC for Declude) 0.5.57 released



If you don't mind me expanding on the bitmask ideaSniffer users
would benefit from this greatly as many spams fail multiple Sniffer
tests.  This would allow us to score each result code that it returned,
i.e.

    SNIFFER-GENERAL           bitmask    1   
"C:\IMail\Declude\Sniffer\execode.exe mycode"    6    0 
    SNIFFER-EXPERIMENTAL    bitmask    2   
"C:\IMail\Declude\Sniffer\execode.exe mycode"    6    0
    SNIFFER-OBFUSCATION      bitmask    4   
"C:\IMail\Declude\Sniffer\execode.exe mycode"    6    0
    SNIFFER-IP                              bitmask    8   
"C:\IMail\Declude\Sniffer\execode.exe mycode"    4    0
    SNIFFER-CASINO       bitmask    16   
"C:\IMail\Declude\Snifferexecode.exe mycode"    8    0
    ...

So if a test such as Sniffer returned a result code of 26, that would
mean it hit SNIFFER-CASINO, SNIFFER-IP and SNIFFER-EXPERIMENTAL.

That would be huge :)

Matt


Matt wrote:
Yes,
I would be interested in this very much since it would greatly ease the
management, testing and reporting of such tests, and I have been
working on something myself that would be capable of returning both
positive and negative weights and I didn't want to be running it twice
to get the separation in log lines.
  
Something else that is a bit OT regarding external tests...I would be
very interested in finding a way to run an external test once and
return multiple result codes, that way if you for instance were testing
different things that both required substantial code and extra I/O, you
could make things much more efficient and also greatly simplify the
management of your code.  I understand of course that you could create
a set of 4 result codes to represent the combination of two hits, but
it quickly becomes unwieldy as it grows exponentially.  Is there a way
that you could return multiple result codes and have Declude fail
multiple tests without running the test multiple times?  I'm thinking
that something like a bitmask returned and then interpreted by Declude
to match zero to many tests.
  
    http://www.joestump.net/170933118/a-quick-bi

Re: [Declude.JunkMail] ANN: SPAMC32 (SpamAssassin SPAMC for Declude) 0.5.57 released

[DLAnalyzer Support]

Darin, 

If its an unsigned 4-byte wouldnt it be 4,294,967,295 tests? 

Darrell 

Darin Cox writes: 

This is the same idea I mentioned a year ago when we were all talking about combo tests in Decludeonly problem being if you use more unique tests than the numeric type supported.  Assuming the weight/bitmask number is a 4-byte unsigned int, then we have a maximum of 32 tests. 

Darin. 

- Original Message - 
From: Matt 
To: [EMAIL PROTECTED] 
Sent: Friday, November 05, 2004 7:35 AM
Subject: Re: [Declude.JunkMail] ANN: SPAMC32 (SpamAssassin SPAMC for Declude) 0.5.57 released 

If you don't mind me expanding on the bitmask ideaSniffer users would benefit from this greatly as many spams fail multiple Sniffer tests.  This would allow us to score each result code that it returned, i.e. 

SNIFFER-GENERAL   bitmask1"C:\IMail\Declude\Sniffer\execode.exe mycode"60 
SNIFFER-EXPERIMENTALbitmask2"C:\IMail\Declude\Sniffer\execode.exe mycode"60
SNIFFER-OBFUSCATION  bitmask4"C:\IMail\Declude\Sniffer\execode.exe mycode"60
SNIFFER-IP  bitmask8"C:\IMail\Declude\Sniffer\execode.exe mycode"40
SNIFFER-CASINO   bitmask16"C:\IMail\Declude\Snifferexecode.exe mycode"80
... 

So if a test such as Sniffer returned a result code of 26, that would mean it hit SNIFFER-CASINO, SNIFFER-IP and SNIFFER-EXPERIMENTAL. 

That would be huge :) 

Matt 

Matt wrote: 

  Yes, I would be interested in this very much since it would greatly ease the management, testing and reporting of such tests, and I have been working on something myself that would be capable of returning both positive and negative weights and I didn't want to be running it twice to get the separation in log lines. 

  Something else that is a bit OT regarding external tests...I would be very interested in finding a way to run an external test once and return multiple result codes, that way if you for instance were testing different things that both required substantial code and extra I/O, you could make things much more efficient and also greatly simplify the management of your code.  I understand of course that you could create a set of 4 result codes to represent the combination of two hits, but it quickly becomes unwieldy as it grows exponentially.  Is there a way that you could return multiple result codes and have Declude fail multiple tests without running the test multiple times?  I'm thinking that something like a bitmask returned and then interpreted by Declude to match zero to many tests. 

  http://www.joestump.net/170933118/a-quick-bitmask-howto-for-programmers 

  Note that if this was available, I would probably prefer this over weight+ and weight- for my own needs since I don't perceive being able to do both :) 

  Thanks, 

  Matt 

 

  Markus Gufler wrote: 

Yet another update to SPAMC32 that's useful when deployed as 
a Declude 'weight'  test type. See the release notes below 
and download from the traditional /release folder.

As SpamChk is not anymore alone as external 'weight' test maybe also SPAMC32
users are interested in having 'weight+' and 'weight-'
So it would be possible to confgure two config lines one for a positive the
other for negative results. 

For example 

SPAMASSASSIN+ weight+ c:\imail\...
SPAMASSASSIN- weight- c:\imail\... 

The benefits? 

1.) It would become possible to use the results of weight tests for
combination filters.
Up to now it was not possible to assign extra points, for example if an
IP4R-test and SPAMCHK has failed.
As both tests are tecnicaly completely different the combination would be
highly accurate.
You can see this for example on http://www2.spamchk.com/public.html on the
already existing COMBO-... tests. 

2.) Creating reports would be much easier and more clear if weight tests can
be separated like showed above. 

I've suggested this some months ago to Scott. Maybe now with some additional
interested parties... 

Markus 

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] 

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com. 

   

--
=
MailPure custom filters for Declude JunkMail Pro.
http://www.mailpure.com/software/
= 

--
=
MailPure custom filters for Declude JunkMail Pro.
http://www.mailpure.com/software/
=


Check out http://www.invariantsystems.com for utilities for Declude And 
Imail.  IMail/Declude Overflow Queue Monitoring, MRTG Integration, and

Re: [Declude.JunkMail] ANN: SPAMC32 (SpamAssassin SPAMC for Declude) 0.5.57 released

[Matt]

Pete,
I'm sure that you would make this optional regardless, but the 
functionality would definitely far outweigh the minor bit of confusion 
when looking at the logs.  If you simply published a map of the bits to 
the result code logged, that would be plenty fine as far as I'm 
concerned.  In my experience, people tend not to look at the Sniffer 
logs all that much and instead focus on the tests failed in the Declude 
log, and this would give us a full record of each Sniffer result in the 
Declude log minus the double hits and the ID of each hit which would be 
easy enough to track down if necessary.  The only thing that I do with 
my Sniffer logs is upload them to you.

I think the key here is whether or not you think this would enhance 
Sniffer as a spam blocking mechanism, and whether or not Declude would 
honor a request to implement this functionality.  It seems to me like it 
might be relatively easy to implement on your part, and possibly even 
easier on the Declude side.

Matt

Pete McNeil wrote:
There is an additional challenge with working Sniffer this way.
Sniffer uses a competitive selection function to derive a single
result value... this helps to prioritize the rule strength analysis.
If I were to map symbols to bits (which would happen in the .cfg file)
then the log file would need to remain as it is in order to preserve
the rule strength analysis.
This might be very confusing.
Thoughts?
_M
BTW: There are fewer than 32 active rule groups in the default
rulebase so 32 bits should be plenty of bandwidth for this if needed.
On Friday, November 5, 2004, 8:11:59 AM, Darin wrote:
DC> This is the same idea I mentioned a year  ago when we were
DC> all talking about combo tests in Decludeonly  problem being if
DC> you use more unique tests than the numeric type  supported. 
DC> Assuming the weight/bitmask number is a 4-byte unsigned int,  then
DC> we have a maximum of 32 tests.

DC> Darin.
DC>  
DC>  
DC> - Original Message - 
DC> From:Matt
DC> To:[EMAIL PROTECTED]  
DC> Sent: Friday, November 05, 2004 7:35 AM
DC> Subject: Re: [Declude.JunkMail] ANN: SPAMC32 (SpamAssassin
DC> SPAMC for  Declude) 0.5.57 released


DC> If you don't mind me expanding on the bitmask ideaSniffer
DC> users would benefit from this greatly as many spams fail multiple
DC> Sniffer  tests.  This would allow us to score each result code
DC> that it returned,  i.e.
DC> SNIFFER-GENERALbitmask1
DC> "C:\IMail\Declude\Sniffer\execode.exe mycode" 60 
DC>  SNIFFER-EXPERIMENTALbitmask2


---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.
 

--
=
MailPure custom filters for Declude JunkMail Pro.
http://www.mailpure.com/software/
=
---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

Re: [Declude.JunkMail] ANN: SPAMC32 (SpamAssassin SPAMC for Declude) 0.5.57 released

[Darin Cox]

Certainly...I was thinking of it in the broader 
sense, though.  For example, we run more than 32 tests within Declude, so 
it would only work for us if we culled the list down a bit, which we could 
probably do quite easily with a lot of the DNSBLs that rarely get hit and are 
almost always covered by others.
 
Also, I don't know for sure whether Scott or Pete 
use unsigned 4-byte ints for the weights.  Scott actually probably uses 
signed ints, so you lose half of the bits...and if the weight is a 2-byte signed 
int then the number of available bits drops to 15.
Darin.
 
 
- Original Message - 
From: Matt 
To: [EMAIL PROTECTED] 

Sent: Friday, November 05, 2004 8:41 AM
Subject: Re: [Declude.JunkMail] ANN: SPAMC32 (SpamAssassin SPAMC for 
Declude) 0.5.57 released
I could deal with 32 result codes for a single test :)I'm 
hoping that Pete will weigh in on this.  We had a discussion once about how 
to weight multiple hits, and he was leaning towards an internal probability 
based method, but this would give us far more flexibility as administrators 
IMO.Yesterday on my system Sniffer returned 118,909 results (clean and 
failed), and of the 104,942 failed result codes, there were a total of 316,206 
result codes meaning an average of just about 3 result codes for each time a 
message failed Sniffer.  I was careful not to double count the final result 
with each result code.Being able to get an average of 3 Sniffer hits per 
message would allow me to reduce the weights slightly to protect from false 
positives, and end up scoring spam with much higher weights as a result.  
This would help my system immensely.I could also use this for my own 
programming, but enhancing Sniffer in this way would have broad implications 
across Declude's customer base.MattDarin Cox wrote:

  
  

  This is the same idea I mentioned a year 
  ago when we were all talking about combo tests in Decludeonly 
  problem being if you use more unique tests than the numeric type 
  supported.  Assuming the weight/bitmask number is a 4-byte unsigned int, 
  then we have a maximum of 32 tests.
  Darin.
   
   
  - 
  Original Message - 
  From: 
  Matt 
  To: [EMAIL PROTECTED] 
  
  Sent: Friday, November 05, 2004 7:35 AM
  Subject: Re: [Declude.JunkMail] ANN: SPAMC32 (SpamAssassin SPAMC 
  for Declude) 0.5.57 released
  If you don't mind me expanding on the bitmask ideaSniffer 
  users would benefit from this greatly as many spams fail multiple Sniffer 
  tests.  This would allow us to score each result code that it returned, 
  i.e.    SNIFFER-GENERAL    
         bitmask    1 
     "C:\IMail\Declude\Sniffer\execode.exe mycode"    
  6    0     
  SNIFFER-EXPERIMENTAL    bitmask    2    
  "C:\IMail\Declude\Sniffer\execode.exe mycode"    
  6    0    SNIFFER-OBFUSCATION  
      bitmask    4    
  "C:\IMail\Declude\Sniffer\execode.exe mycode"    
  6    0    SNIFFER-IP    
                       
       bitmask    8    
  "C:\IMail\Declude\Sniffer\execode.exe mycode"    
  4    0    SNIFFER-CASINO    
     
  bitmask    16    "C:\IMail\Declude\Snifferexecode.exe 
  mycode"    8    0    
  ...So if a test such as Sniffer returned a result code of 26, that 
  would mean it hit SNIFFER-CASINO, SNIFFER-IP and 
  SNIFFER-EXPERIMENTAL.That would be huge :)MattMatt 
  wrote:
  Yes, I would 
be interested in this very much since it would greatly ease the management, 
testing and reporting of such tests, and I have been working on something 
myself that would be capable of returning both positive and negative weights 
and I didn't want to be running it twice to get the separation in log 
lines.Something else that is a bit OT regarding external tests...I 
would be very interested in finding a way to run an external test once and 
return multiple result codes, that way if you for instance were testing 
different things that both required substantial code and extra I/O, you 
could make things much more efficient and also greatly simplify the 
management of your code.  I understand of course that you could create 
a set of 4 result codes to represent the combination of two hits, but it 
quickly becomes unwieldy as it grows exponentially.  Is there a way 
that you could return multiple result codes and have Declude fail multiple 
tests without running the test multiple times?  I'm thinking that 
something like a bitmask returned and then interpreted by Declude to match 
zero to many tests.    http://www.joestump.net/170933118/a-quick-bitmask-howto-for-programmersNote 
that if this was available, I would probably prefer this over weight+ and 
weight- for my own needs since I don't perceive being able to do both 
:)Thanks,MattMarkus Gufler wrote:

  Yet another update to SPAMC32 that's useful when deployed as 
a Declude 'weight'  test type. See the release notes below 
and download from the traditional /release folder.

As Sp

Re: [Declude.JunkMail] LOG Levels

[Nick]

On 5 Nov 2004 at 3:34, Serge wrote:

Serge,

> i'm more a foxpro guy
hmm - I figured I was the only foxpro guy on this list!  :)

-Nick



> but i suppose the access code will be easy to translate
> would appreciate if you email the code
> 
> 
> - Original Message - 
> From: "Scott Fisher" <[EMAIL PROTECTED]>
> To: <[EMAIL PROTECTED]>
> Sent: Friday, November 05, 2004 2:32 AM
> Subject: RE: [Declude.JunkMail] LOG Levels
> 
> 
> > If you are interested, I have Microsoft Access 2002 VBA code that
> > imports the logs into Microsoft Access Databases. Link in a SQL
> > Database instead and you can import to SQL I presume. This code has
> > been working pretty well for months for me.
> >
> > I have individual code for the Declude Virus, Declude Junkmail and
> > for Spamchk.
> >
> > As much as the other tools are interesting, nothing beats a database
> > for it's in depth ability to look at different data elements.
> >
> > -- Original Message --
> > From: "Mark E. Smith" <[EMAIL PROTECTED]>
> > Reply-To: [EMAIL PROTECTED]
> > Date:  Thu, 4 Nov 2004 15:55:35 -0500
> >
> >>We have 4 inbound equal MX servers each with 250-350 per day so
> >>we're about the same in net-net load. I started writing a log
> >>parsing program that will consolidate the logs and insert them into
> >>a central SQL database. That way I'll be able to do a query on a
> >>message and debug much easier.
> >>
> >>The problem right now is loading a 350mb (let alone 1.6GB) file with
> >>notepad. :)
> >>
> >>
> >>> -Original Message-
> >>> From: [EMAIL PROTECTED]
> >>> [mailto:[EMAIL PROTECTED] On Behalf Of Glenn \
> >>> WCNet Sent: Thursday, November 04, 2004 3:24 PM To:
> >>> [EMAIL PROTECTED] Subject: Re: [Declude.JunkMail] LOG
> >>> Levels
> >>>
> >>> My Declude logs at HIGH range between 1.2 and 1.6 GIGABYTES.
> >>> The log for
> >>> 11/3 is 1,701,795 KB.
> >>>
> >>>
> >>> - Original Message -
> >>> From: "Mark E. Smith" <[EMAIL PROTECTED]>
> >>> To: <[EMAIL PROTECTED]>
> >>> Sent: Thursday, November 04, 2004 9:03 AM
> >>> Subject: [Declude.JunkMail] LOG Levels
> >>>
> >>>
> >>> > I've always used LOGLEVEL HIGH on my systems but I'm
> >>> reconsidering that
> >>> > these days since our logs are running 250mb - 350mb.
> >>> >
> >>> > I use a number of log reports (DLAnalyizer, etc)
> >>> >
> >>> > If I switch to LOGLEVEL MID will I lose anything in my log
> >>> > reporting
> >>> utils?
> >>> >
> >>> >
> >>> > ---
> >>> > [This E-mail was scanned for viruses by Declude Virus
> >>> (http://www.declude.com)]
> >>> >
> >>> > ---
> >>> > This E-mail came from the Declude.JunkMail mailing list.  To
> >>> > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
> >>> > type "unsubscribe Declude.JunkMail".  The archives can be found
> >>> > at http://www.mail-archive.com.
> >>> >
> >>>
> >>> ---
> >>> [This E-mail was scanned for viruses by Declude Virus
> >>> (http://www.declude.com)]
> >>>
> >>> ---
> >>> This E-mail came from the Declude.JunkMail mailing list.  To
> >>> unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type
> >>> "unsubscribe Declude.JunkMail".  The archives can be found at
> >>> http://www.mail-archive.com.
> >>>
> >>
> >>
> >>---
> >>[This E-mail was scanned for viruses by Declude Virus 
> >>(http://www.declude.com)]
> >>
> >>---
> >>This E-mail came from the Declude.JunkMail mailing list.  To
> >>unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
> >>type "unsubscribe Declude.JunkMail".  The archives can be found at
> >>http://www.mail-archive.com.
> >>
> >
> > ---
> > [This E-mail was scanned for viruses by Declude Virus 
> > (http://www.declude.com)]
> >
> > ---
> > This E-mail came from the Declude.JunkMail mailing list.  To
> > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
> > type "unsubscribe Declude.JunkMail".  The archives can be found at
> > http://www.mail-archive.com.
> > 
> 
> 
> ---
> [This E-mail was scanned for viruses by Declude Virus
> (http://www.declude.com)]
> 
> ---
> This E-mail came from the Declude.JunkMail mailing list.  To
> unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
> type "unsubscribe Declude.JunkMail".  The archives can be found
> at http://www.mail-archive.com.
> 


---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

Re: [Declude.JunkMail] Huge increase in spam in the last 2 days

[Pete McNeil]

On Friday, November 5, 2004, 8:26:30 AM, Darin wrote:

DC> Anyone else seeing this?  Wednesday our  incoming spam
DC> increased by about 80%, and yesterday it increased another 
DC> 50%...so there was a total of about a 120% increase in two days.
DC>  
DC> Someone's been busy.  Also, a lot more zombie  spam...

I'm not seeing anything that significant in reported logs, though I
did sense a spike of some kind locally.





_M

  


---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

Re: [Declude.JunkMail] OT: expanding beyond one mailhost

[Nick]

On 4 Nov 2004 at 16:01, Colbeck, Andrew wrote:

Hi Andrew -

> An Off Topic thread ...
> 
> On various domains I administer, a single point of failure mailhost
> has been good enough, but I'm shortly going to add a second host on a
> second network for redundancy.
If you are looking for a location or simply a backup mx please 
contact me off list. I do backup mx's & colos even for others on this 
list  :) 
 
 a classic MX = 10 and MX = 20 with a separate A
> record for each.
This is the way I suggest - as Pete stated:
"This approach is well understood and time tested... not much to go
wrong IMO."

-Nick

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

Re: [Declude.JunkMail] ANN: SPAMC32 (SpamAssassin SPAMC for Declude) 0.5.57 released

[Matt]

I could deal with 32 result codes for a single test :)

I'm hoping that Pete will weigh in on this.  We had a discussion once
about how to weight multiple hits, and he was leaning towards an
internal probability based method, but this would give us far more
flexibility as administrators IMO.

Yesterday on my system Sniffer returned 118,909 results (clean and
failed), and of the 104,942 failed result codes, there were a total of
316,206 result codes meaning an average of just about 3 result codes
for each time a message failed Sniffer.  I was careful not to double
count the final result with each result code.

Being able to get an average of 3 Sniffer hits per message would allow
me to reduce the weights slightly to protect from false positives, and
end up scoring spam with much higher weights as a result.  This would
help my system immensely.

I could also use this for my own programming, but enhancing Sniffer in
this way would have broad implications across Declude's customer base.

Matt



Darin Cox wrote:

  
  
  
  
  This is the same idea I mentioned a
year ago when we were all talking about combo tests in Decludeonly
problem being if you use more unique tests than the numeric type
supported.  Assuming the weight/bitmask number is a 4-byte unsigned
int, then we have a maximum of 32 tests.
  
Darin.
   
   
  -
Original Message -
  From:
  Matt
  
  To: [EMAIL PROTECTED]
  
  Sent: Friday, November 05, 2004 7:35 AM
  Subject: Re: [Declude.JunkMail] ANN: SPAMC32
(SpamAssassin SPAMC for Declude) 0.5.57 released
  
  
  
If you don't mind me expanding on the bitmask ideaSniffer users
would benefit from this greatly as many spams fail multiple Sniffer
tests.  This would allow us to score each result code that it returned,
i.e.
  
    SNIFFER-GENERAL           bitmask    1   
"C:\IMail\Declude\Sniffer\execode.exe mycode"    6    0 
    SNIFFER-EXPERIMENTAL    bitmask    2   
"C:\IMail\Declude\Sniffer\execode.exe mycode"    6    0
    SNIFFER-OBFUSCATION      bitmask    4   
"C:\IMail\Declude\Sniffer\execode.exe mycode"    6    0
    SNIFFER-IP                              bitmask    8   
"C:\IMail\Declude\Sniffer\execode.exe mycode"    4    0
    SNIFFER-CASINO       bitmask    16   
"C:\IMail\Declude\Snifferexecode.exe mycode"    8    0
    ...
  
So if a test such as Sniffer returned a result code of 26, that would
mean it hit SNIFFER-CASINO, SNIFFER-IP and SNIFFER-EXPERIMENTAL.
  
That would be huge :)
  
Matt
  
  
Matt wrote:
  Yes,
I would be interested in this very much since it would greatly ease the
management, testing and reporting of such tests, and I have been
working on something myself that would be capable of returning both
positive and negative weights and I didn't want to be running it twice
to get the separation in log lines.

Something else that is a bit OT regarding external tests...I would be
very interested in finding a way to run an external test once and
return multiple result codes, that way if you for instance were testing
different things that both required substantial code and extra I/O, you
could make things much more efficient and also greatly simplify the
management of your code.  I understand of course that you could create
a set of 4 result codes to represent the combination of two hits, but
it quickly becomes unwieldy as it grows exponentially.  Is there a way
that you could return multiple result codes and have Declude fail
multiple tests without running the test multiple times?  I'm thinking
that something like a bitmask returned and then interpreted by Declude
to match zero to many tests.

    http://www.joestump.net/170933118/a-quick-bitmask-howto-for-programmers

Note that if this was available, I would probably prefer this over
weight+ and weight- for my own needs since I don't perceive being able
to do both :)

Thanks,

Matt



Markus Gufler wrote:

  
Yet another update to SPAMC32 that's useful when deployed as 
a Declude 'weight'  test type. See the release notes below 
and download from the traditional /release folder.

  
  
As SpamChk is not anymore alone as external 'weight' test maybe also SPAMC32
users are interested in having 'weight+' and 'weight-'
So it would be possible to confgure two config lines one for a positive the
other for negative results.

For example

SPAMASSASSIN+ weight+ c:\imail\...
SPAMASSASSIN- weight- c:\imail\...


The benefits?

1.) It would become possible to use the results of weight tests for
combination filters.
Up to now it was not possible to assign extra points, for example if an
IP4R-test and SPAMCHK has failed.
As both tests are tecnicaly completely different the combination would be
highly accurate.
You can see this for example on http://www2.spamchk.com/public.html on the
already existing COMBO-... tests.

2.) Creating reports would be much easier and more clear if weight tests can
be separated like showed above.

I've suggested t

Re[2]: [Declude.JunkMail] ANN: SPAMC32 (SpamAssassin SPAMC for Declude) 0.5.57 released

[Pete McNeil]

There is an additional challenge with working Sniffer this way.
Sniffer uses a competitive selection function to derive a single
result value... this helps to prioritize the rule strength analysis.

If I were to map symbols to bits (which would happen in the .cfg file)
then the log file would need to remain as it is in order to preserve
the rule strength analysis.

This might be very confusing.

Thoughts?

_M

BTW: There are fewer than 32 active rule groups in the default
rulebase so 32 bits should be plenty of bandwidth for this if needed.

On Friday, November 5, 2004, 8:11:59 AM, Darin wrote:

DC> This is the same idea I mentioned a year  ago when we were
DC> all talking about combo tests in Decludeonly  problem being if
DC> you use more unique tests than the numeric type  supported. 
DC> Assuming the weight/bitmask number is a 4-byte unsigned int,  then
DC> we have a maximum of 32 tests.

DC> Darin.
DC>  
DC>  
DC> - Original Message - 
DC> From:Matt
DC> To:[EMAIL PROTECTED]  
DC> Sent: Friday, November 05, 2004 7:35 AM
DC> Subject: Re: [Declude.JunkMail] ANN: SPAMC32 (SpamAssassin
DC> SPAMC for  Declude) 0.5.57 released



DC> If you don't mind me expanding on the bitmask ideaSniffer
DC> users would benefit from this greatly as many spams fail multiple
DC> Sniffer  tests.  This would allow us to score each result code
DC> that it returned,  i.e.

DC>     SNIFFER-GENERAL            bitmask    1    
DC> "C:\IMail\Declude\Sniffer\execode.exe mycode"     6    0 
DC>      SNIFFER-EXPERIMENTAL    bitmask    2    



---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

[Declude.JunkMail] Huge increase in spam in the last 2 days

[Darin Cox]

Anyone else seeing this?  Wednesday our 
incoming spam increased by about 80%, and yesterday it increased another 
50%...so there was a total of about a 120% increase in two days.
 
Someone's been busy.  Also, a lot more zombie 
spam...
Darin.
 
 

Re: [Declude.JunkMail] ANN: SPAMC32 (SpamAssassin SPAMC for Declude) 0.5.57 released

[Darin Cox]

This is the same idea I mentioned a year 
ago when we were all talking about combo tests in Decludeonly 
problem being if you use more unique tests than the numeric type 
supported.  Assuming the weight/bitmask number is a 4-byte unsigned int, 
then we have a maximum of 32 tests.
Darin.
 
 
- Original Message - 
From: Matt 
To: [EMAIL PROTECTED] 

Sent: Friday, November 05, 2004 7:35 AM
Subject: Re: [Declude.JunkMail] ANN: SPAMC32 (SpamAssassin SPAMC for 
Declude) 0.5.57 released
If you don't mind me expanding on the bitmask ideaSniffer 
users would benefit from this greatly as many spams fail multiple Sniffer 
tests.  This would allow us to score each result code that it returned, 
i.e.    SNIFFER-GENERAL    
       bitmask    1 
   "C:\IMail\Declude\Sniffer\execode.exe mycode"    
6    0     
SNIFFER-EXPERIMENTAL    bitmask    2    
"C:\IMail\Declude\Sniffer\execode.exe mycode"    
6    0    SNIFFER-OBFUSCATION  
    bitmask    4    
"C:\IMail\Declude\Sniffer\execode.exe mycode"    
6    0    SNIFFER-IP      
                     
   bitmask    8    
"C:\IMail\Declude\Sniffer\execode.exe mycode"    
4    0    SNIFFER-CASINO    
   
bitmask    16    "C:\IMail\Declude\Snifferexecode.exe 
mycode"    8    0    
...So if a test such as Sniffer returned a result code of 26, that would 
mean it hit SNIFFER-CASINO, SNIFFER-IP and SNIFFER-EXPERIMENTAL.That 
would be huge :)MattMatt wrote:
Yes, I would be 
  interested in this very much since it would greatly ease the management, 
  testing and reporting of such tests, and I have been working on something 
  myself that would be capable of returning both positive and negative weights 
  and I didn't want to be running it twice to get the separation in log 
  lines.Something else that is a bit OT regarding external tests...I 
  would be very interested in finding a way to run an external test once and 
  return multiple result codes, that way if you for instance were testing 
  different things that both required substantial code and extra I/O, you could 
  make things much more efficient and also greatly simplify the management of 
  your code.  I understand of course that you could create a set of 4 
  result codes to represent the combination of two hits, but it quickly becomes 
  unwieldy as it grows exponentially.  Is there a way that you could return 
  multiple result codes and have Declude fail multiple tests without running the 
  test multiple times?  I'm thinking that something like a bitmask returned 
  and then interpreted by Declude to match zero to many 
  tests.    http://www.joestump.net/170933118/a-quick-bitmask-howto-for-programmersNote 
  that if this was available, I would probably prefer this over weight+ and 
  weight- for my own needs since I don't perceive being able to do both 
  :)Thanks,MattMarkus Gufler wrote:
  
Yet another update to SPAMC32 that's useful when deployed as 
a Declude 'weight'  test type. See the release notes below 
and download from the traditional /release folder.

As SpamChk is not anymore alone as external 'weight' test maybe also SPAMC32
users are interested in having 'weight+' and 'weight-'
So it would be possible to confgure two config lines one for a positive the
other for negative results.

For example

SPAMASSASSIN+ weight+ c:\imail\...
SPAMASSASSIN- weight- c:\imail\...


The benefits?

1.) It would become possible to use the results of weight tests for
combination filters.
Up to now it was not possible to assign extra points, for example if an
IP4R-test and SPAMCHK has failed.
As both tests are tecnicaly completely different the combination would be
highly accurate.
You can see this for example on http://www2.spamchk.com/public.html on the
already existing COMBO-... tests.

2.) Creating reports would be much easier and more clear if weight tests can
be separated like showed above.

I've suggested this some months ago to Scott. Maybe now with some additional
interested parties...

Markus


---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.


  -- 
=
MailPure custom filters for Declude JunkMail Pro.
http://www.mailpure.com/software/
=-- 
=
MailPure custom filters for Declude JunkMail Pro.
http://www.mailpure.com/software/
=

Re: [Declude.JunkMail] ANN: SPAMC32 (SpamAssassin SPAMC for Declude) 0.5.57 released

[Matt]

If you don't mind me expanding on the bitmask ideaSniffer users
would benefit from this greatly as many spams fail multiple Sniffer
tests.  This would allow us to score each result code that it returned,
i.e.

    SNIFFER-GENERAL           bitmask    1   
"C:\IMail\Declude\Sniffer\execode.exe mycode"    6    0 
    SNIFFER-EXPERIMENTAL    bitmask    2   
"C:\IMail\Declude\Sniffer\execode.exe mycode"    6    0
    SNIFFER-OBFUSCATION      bitmask    4   
"C:\IMail\Declude\Sniffer\execode.exe mycode"    6    0
    SNIFFER-IP                              bitmask    8   
"C:\IMail\Declude\Sniffer\execode.exe mycode"    4    0
    SNIFFER-CASINO       bitmask    16   
"C:\IMail\Declude\Snifferexecode.exe mycode"    8    0
    ...

So if a test such as Sniffer returned a result code of 26, that would
mean it hit SNIFFER-CASINO, SNIFFER-IP and SNIFFER-EXPERIMENTAL.

That would be huge :)

Matt


Matt wrote:

  
  
Yes, I would be interested in this very much since it would greatly
ease the management, testing and reporting of such tests, and I have
been working on something myself that would be capable of returning
both positive and negative weights and I didn't want to be running it
twice to get the separation in log lines.
  
Something else that is a bit OT regarding external tests...I would be
very interested in finding a way to run an external test once and
return multiple result codes, that way if you for instance were testing
different things that both required substantial code and extra I/O, you
could make things much more efficient and also greatly simplify the
management of your code.  I understand of course that you could create
a set of 4 result codes to represent the combination of two hits, but
it quickly becomes unwieldy as it grows exponentially.  Is there a way
that you could return multiple result codes and have Declude fail
multiple tests without running the test multiple times?  I'm thinking
that something like a bitmask returned and then interpreted by Declude
to match zero to many tests.
  
   
  http://www.joestump.net/170933118/a-quick-bitmask-howto-for-programmers
  
Note that if this was available, I would probably prefer this over
weight+ and weight- for my own needs since I don't perceive being able
to do both :)
  
Thanks,
  
Matt
  
  
  
Markus Gufler wrote:
  

  Yet another update to SPAMC32 that's useful when deployed as 
a Declude 'weight'  test type. See the release notes below 
and download from the traditional /release folder.



As SpamChk is not anymore alone as external 'weight' test maybe also SPAMC32
users are interested in having 'weight+' and 'weight-'
So it would be possible to confgure two config lines one for a positive the
other for negative results.

For example

SPAMASSASSIN+ weight+ c:\imail\...
SPAMASSASSIN- weight- c:\imail\...


The benefits?

1.) It would become possible to use the results of weight tests for
combination filters.
Up to now it was not possible to assign extra points, for example if an
IP4R-test and SPAMCHK has failed.
As both tests are tecnicaly completely different the combination would be
highly accurate.
You can see this for example on http://www2.spamchk.com/public.html on the
already existing COMBO-... tests.

2.) Creating reports would be much easier and more clear if weight tests can
be separated like showed above.

I've suggested this some months ago to Scott. Maybe now with some additional
interested parties...

Markus


---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.


  
  
  
  -- 
=
MailPure custom filters for Declude JunkMail Pro.
http://www.mailpure.com/software/
=


-- 
=
MailPure custom filters for Declude JunkMail Pro.
http://www.mailpure.com/software/
=

Re: [Declude.JunkMail] ANN: SPAMC32 (SpamAssassin SPAMC for Declude) 0.5.57 released

[Matt]

Yes, I would be interested in this very much since it would greatly
ease the management, testing and reporting of such tests, and I have
been working on something myself that would be capable of returning
both positive and negative weights and I didn't want to be running it
twice to get the separation in log lines.

Something else that is a bit OT regarding external tests...I would be
very interested in finding a way to run an external test once and
return multiple result codes, that way if you for instance were testing
different things that both required substantial code and extra I/O, you
could make things much more efficient and also greatly simplify the
management of your code.  I understand of course that you could create
a set of 4 result codes to represent the combination of two hits, but
it quickly becomes unwieldy as it grows exponentially.  Is there a way
that you could return multiple result codes and have Declude fail
multiple tests without running the test multiple times?  I'm thinking
that something like a bitmask returned and then interpreted by Declude
to match zero to many tests.

   
http://www.joestump.net/170933118/a-quick-bitmask-howto-for-programmers

Note that if this was available, I would probably prefer this over
weight+ and weight- for my own needs since I don't perceive being able
to do both :)

Thanks,

Matt



Markus Gufler wrote:

  
Yet another update to SPAMC32 that's useful when deployed as 
a Declude 'weight'  test type. See the release notes below 
and download from the traditional /release folder.

  
  
As SpamChk is not anymore alone as external 'weight' test maybe also SPAMC32
users are interested in having 'weight+' and 'weight-'
So it would be possible to confgure two config lines one for a positive the
other for negative results.

For example

SPAMASSASSIN+ weight+ c:\imail\...
SPAMASSASSIN- weight- c:\imail\...


The benefits?

1.) It would become possible to use the results of weight tests for
combination filters.
Up to now it was not possible to assign extra points, for example if an
IP4R-test and SPAMCHK has failed.
As both tests are tecnicaly completely different the combination would be
highly accurate.
You can see this for example on http://www2.spamchk.com/public.html on the
already existing COMBO-... tests.

2.) Creating reports would be much easier and more clear if weight tests can
be separated like showed above.

I've suggested this some months ago to Scott. Maybe now with some additional
interested parties...

Markus


---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.


  


-- 
=
MailPure custom filters for Declude JunkMail Pro.
http://www.mailpure.com/software/
=

RE: [Declude.JunkMail] ANN: SPAMC32 (SpamAssassin SPAMC for Declude) 0.5.57 released

[Markus Gufler]

> Yet another update to SPAMC32 that's useful when deployed as 
> a Declude 'weight'  test type. See the release notes below 
> and download from the traditional /release folder.

As SpamChk is not anymore alone as external 'weight' test maybe also SPAMC32
users are interested in having 'weight+' and 'weight-'
So it would be possible to confgure two config lines one for a positive the
other for negative results.

For example

SPAMASSASSIN+ weight+ c:\imail\...
SPAMASSASSIN- weight- c:\imail\...


The benefits?

1.) It would become possible to use the results of weight tests for
combination filters.
Up to now it was not possible to assign extra points, for example if an
IP4R-test and SPAMCHK has failed.
As both tests are tecnicaly completely different the combination would be
highly accurate.
You can see this for example on http://www2.spamchk.com/public.html on the
already existing COMBO-... tests.

2.) Creating reports would be much easier and more clear if weight tests can
be separated like showed above.

I've suggested this some months ago to Scott. Maybe now with some additional
interested parties...

Markus


---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.